PCI (Payment Card Industry Security Standard)_Req 6.6

PCI (Payment Card Industry Security Standard)

Develop and maintain secure systems and applications

Req 6.6

6.6 For public-facing web applications address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: – Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods at least annually and after any changes. Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2. – Installing an automated technical solution that detects and prevents web-based attacks (for example a web-application firewall) in front of public-facing web applications to continually check all traffic.

Public-facing web applications are primary targets for attackers and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. – Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities – Web-application firewalls filter and block nonessential traffic at the application layer. Used in conjunction with a network-based firewall a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization as long as the reviewers specialize in application security and can demonstrate independence from the development team.

 

Click here to Start your FREE trial today!

Explainer video

 

What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video