Learn more at https://kirkpatrickprice.com/video/pc...
PCI Requirement 6.3 focuses on the software development lifecycle, or SDLC. PCI Requirement 6.3 states that all internal and external software applications must be securely developed, in accordance with the PCI DSS, industry best practices, and with information security incorporated.
A securely developed software application should have several capabilities. It should be able to function in a hardened application or operating system. The application must encrypt sensitive data in storage and in transmission. It should operate on a system that supports antivirus. Securely developed software supports authentication controls. It should also have the ability to be patched and continuously updated.
Secure software applications need to be developed in accordance with industry best practices. There’s several development methodologies to work with (Waterfall, Scrum), but according to the PCI DSS, the best way to ensure you securely develop software applications is to incorporate information security into several phases of your development process: requirement gathering, design, development, and testing.
Requirement Gathering: Your organization should spend time identifying the functional and technical specification requirements that an application needs to operate on.
Design: Your organization’s method for designing an application should ensure that it’s developed according to the requirement specifications called out in the previous phase.
Development: Developers must develop secure codes. Your organization should train your staff, at least annually, on how to develop secure code.
Testing: This phase ensures that an application is fully hardened before it’s pushed into production. An assessor will gather your test cases to verify that the requirement specifications, design functions, and security functions incorporated are secure.
If information security is not incorporated into each of these phases, security vulnerabilities could be unintentionally or maliciously introduced into the production environment. In production, the PCI DSS requires separation of duties to further secure the software application. The development environment should be separate from production, just as the developers should be separate from the mangers of production.
Stay Connected
Twitter: / kpaudit
LinkedIn: / kirkpatrickprice-llc
Facebook: / kirkpatrickprice
More Free Resources
Blog: https://kirkpatrickprice.com/blog/
Webinars: https://kirkpatrickprice.com/webinars/
Videos: https://kirkpatrickprice.com/video/
White Papers: https://kirkpatrickprice.com/white-pa...
About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Информация по комментариям в разработке