Click here to load reader
Upload
whitesource
View
116
Download
0
Embed Size (px)
DESCRIPTION
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements. As part of PCI-DSS, organizations must develop and “maintain a vulnerability management program” when they develop and maintain secure systems and applications, including a “vulnerability management program”. (cf. Requirement 6) Importantly, as part of a vulnerability program, software vendors are required to ensure not only that their own code is not vulnerable, but also that open source libraries that are an integral part of their product are not likely to pose a security risk. White Source – a leading open source compliance and security management vendor – provides this service to both software vendors and their customers. We continuously monitor web vulnerability databases and notify software vendors and their customers when a vulnerability is discovered which directly affects their product, as well as when a fix is available.
Citation preview
©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software
PCI-DSS 3.0 Compliance with White Source
Overview
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance
cardholder data security and facilitate the broad adoption of consistent data security measures globally.
PCI DSS provides a baseline of technical and operational requirements.
As part of PCI-DSS, organizations must develop and “maintain a vulnerability management program” when they
develop and maintain secure systems and applications, including a “vulnerability management program”. (cf.
Requirement 6)
Importantly, as part of a vulnerability program, software vendors are required to ensure not only that their
own code is not vulnerable, but also that open source libraries that are an integral part of their product are not
likely to pose a security risk. White Source – a leading open source compliance and security management
vendor – provides this service to both software vendors and their customers. We continuously monitor web
vulnerability databases and notify software vendors and their customers when a vulnerability is discovered
which directly affects their product, as well as when a fix is available.
Who Must Comply
According to Visa, all acquirers and issuers must comply, and must also ensure the compliance of their
merchants and service providers who store, process, or transmit Visa account numbers. However, much of PCI
is quite general and has evolved to become a golden standard for many organizations in other industries as
well.
Why White Source
White Source helps software developers and their customers comply with Requirement 6 of the standard.
Whereas most software vendors do a good job at controlling the quality and security of their own code, they
often need help in the management of quickly growing body of open source libraries that are used by their
developers to boost their own code.
Requirement 6: Develop and maintain secure systems and application Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.
©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software
White Source is the leading provider of open source license compliance and security management solutions.
Specifically, White Source provides two main services related to PCI:
1. Proactively alert software developers whenever security vulnerabilities are discovered in specific open
source libraries that are used within their products.
2. Proactively alert software vendors when a new version is released for an open source library they use,
including reference to the vulnerabilities and other bugs that were fixed.
In addition, White Source helps software vendors comply with open source licenses and regulations by
continuously keeping track of all open source libraries used in each of their projects and product versions.
Software vendors, as well as their customers, can use White Source to enforce an open source acceptance
policy, including ensuring compliance with the requirements of specific licenses in a way that mitigates legal
and business risks.
White Source for PCI-DSS 3.0
White Source helps address primarily PCI-DSS security requirements
Requirement White Source Solution
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities
Continuously monitor common security vulnerability databases
Catalog CVEs according to severity: high, medium, low Match CVEs to open source libraries Identity CVEs that are relevant to open source libraries
used in a specific software project and product version
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install security patches within one month of release
Proactively alert whenever a security vulnerability becomes known for a relevant open source library
Proactively alert when a fix/patch is available, and continues to alert until it is installed
6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS - Based on industry standards and/or best practices - Incorporating information security throughout the software-development life cycle
Can be used to enforce compliance with open source security best practices by both internal software developers and external software vendors
Agile approach makes it easy to incorporate best practices throughout the entire software development lifecycle
6.4.5 Change control procedures for the implementation of security patches and software modifications
Follows and documents all changes to open source libraries due to (1) new or changing functionality; (2) patches and upgrades; and (3) changes to the open source library itself, including especially addition of new dependencies.