PCI (Payment Card Industry Security Standard)
Develop and maintain secure systems and applications
Test 6.6
6.6 For public-facing web applications ensure that either one of the following methods is in place as follows: – Examine documented processes interview personnel and examine records of application security assessments to verify that public-facing web applications are reviewed-using either manual or automated vulnerability security assessment tools or methods-as follows: – At least annually – After any changes – By an organization that specializes in application security – That at a minimum all vulnerabilities in Requirement 6.5 are included in the assessment – That all vulnerabilities are corrected – that the application is re-evaluated after the corrections. – Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example a web-application firewall) is in place as follows: – Is situated in front of public-facing web applications to detect and prevent web-based attacks. – Is actively running and up to date as applicable. – Is generating audit logs. – Is configured to either block web-based attacks or generate an alert that is immediately investigated.
Public-facing web applications are primary targets for attackers and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. – Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities – Web-application firewalls filter and block nonessential traffic at the application layer. Used in conjunction with a network-based firewall a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization as long as the reviewers specialize in application security and can demonstrate independence from the development team.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!