Requirement 6: Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.
We have deployed Windows Server Update Service to make sure every workstation and server has the latest patches and updates. All other software is reviewed on a quarterly basis and updates as needed.
6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues.
Our network Administrators and desktop technicians are required to subscribe to cern and other update services that are in their area of responsibility
6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle.
6.3.1 Testing of all security patches and system and software configuration changes before deployment
6.3.2 Separate development, test, and production environments
6.3.3 Separation of duties between development, test, and production environments
6.3.4 Production data (live PANs) are not used for testing or development
6.3.5 Removal of test data and accounts before production systems become active
6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers
6.3.7 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
6.4 Follow change control procedures for all system and software configuration changes. The procedures must include the following:
6.4.1 Documentation of impact
6.4.2 Management sign-off by appropriate parties
6.4.3 Testing of operational functionality
6.4.4 Back-out procedures
6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and session cookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (for example, structured query language (SQL) injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration managementOur programming team reviews all new Open Web Application Security guidelines to make sure all of the documented vulnerablitites are reviewed.
6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications.
All servers that have external facing applications run software firewalls.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.