Get started

Web application security and the PCI DSS

Software security should be integrated into the software development lifecycle at every phase. While the PCI DSS doesn't account for all of this, here are some tips to get you started on a holistic approach toward security.

Published: 03 Jul 2008

TABLE OF CONTENTS

PCI DSS compliance: The basics

PCI DSS compliance: Code review

PCI DSS compliance: Web application firewalls (WAFs)

Web application security and the PCI DSS

Web application security and the PCI DSS

Expert advice software security

Do you have questions about software security? Let our security experts, Chris Wysopal, Caleb Sima, Dan Cornell and Ramesh Nagappan guide you. Read advice they have given or submit your own questions.

Web application firewalls and code reviews, detailed, manual, automatic or otherwise, are good components of an application security program. They are not, however, the only components. Experts stress that security must be integrated into the entire software development lifecycle.

Tip: Secure software measures: Their strengths and limitations: Greg Reber evaluates security processes in depth, including the methods recommended by requirement 6.6. Like most application security experts, he recommends a holistic approach to security.

Tip: Web application hacking: Inside the mind of an attacker: App security expert Kevin Beaver emphasizes that a malicious mindset is the key to a good security analysis. He includes many specific examples where security professionals may apply this technique.

Tip: Secure SDLC: Integrating security into your software development lifecycle: This is a heavily detailed and hyperlinked guide from Anurag Agarwal that explains how organizations can incorporate security practices into their SDLC.

Article: Application security shouldn't involve duct tape, Band-Aids or bubble gum: Application security involves integrating security into the SDLC. And it involves security professionals, risk mitigation, and data protection, at least. Joe Basirico breaks the development lifecycle down by phase: requirements gathering, requirements authoring, design, development, testing, release, and documentation.

Expert advice: Web application security testing basics: Expert Dan Cornell breaks down security testing techniques, how to use them, what they do, and when they are applicable.

Learning Guide: Application security testing techniques: This guide covers the major app sec testing techniques, such as vulnerability assessment, penetration testing, fuzz testing, obfuscation and, of course, source code analysis.

Expert advice: Application security careers have bright future: Dan Cornell explains why application security professionals are going to be needed in greater numbers than ever before.

Tip: Writing software requirements that address security issues: The requirements phase is the first opportunity for integration of security in the SDLC. Kevin Beaver outlines how to approach this process.

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send associate editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

Dig Deeper on Building security into the SDLC (Software development life cycle)

Is the PCI DSS a good guide for an application security program? Is the PCI DSS a sufficient guideline for implementing an application security program? Should organizations take steps beyond the mandated PCI compliance checklist?

What is new in PCI DSS V3? The Payment Card Industry (PCI) Security Standards Council has published the latest version of the data security standards

Application security: Frameworks enforce secure coding Application security experts say frameworks that enforce secure coding provide a better way for developers to write apps that can withstand attacks.

Web application firewalls: Patching, SDLC key for security, compliance Mike Chapple on improving defense-in-depth security with Web application firewalls (WAFs) and a strong software development lifecycle (SDLC) process.

Burgess Cooper SearchSecurity.in CISO Power List 2012 Profile: Burgess Cooper, CISO, Vodafone India.

How protecting against the OWASP Top 10 helps prevent compliance risk Mapping security processes to protect against the OWASP Top 10 could ease Web application vulnerabilities and help some companies stay compliant.

Web application security and the PCI DSS

Software security should be integrated into the software development lifecycle at every phase. While the PCI DSS doesn't account for all of this, here are some tips to get you started on a holistic approach toward security.

Dig Deeper on Building security into the SDLC (Software development life cycle)

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudComputing

The future of the Kubernetes ecosystem isn't all about cloud

Evaluate general and niche cloud service use cases

Compare niche cloud services to the hyperscale offerings

SearchAppArchitecture

A guide to open source technology in application development

Finding the right fit for business process automation

Business process automation software requires a strategy

SearchITOperations

Put infrastructure automation at the heart of modern IT ops

Geek gifts 2019: Think Opex, not Capex with subscriptions

Dynatrace monitoring faces market ambivalence in NoOps push

SearchAWS

Prepare for an AWS outage with these preventative steps

AWS seeks niche in the cloud UC market

National Australia Bank cashes in on AWS training and certification

Dig Deeper on Building security into the SDLC (Software development life cycle)

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.