One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103303 |
| Date de publication | 2020-11-12 19:49:18 (vue: 2020-12-15 21:05:42) |
| Titre | New PCI Regulations Indicate the Need for AppSec Throughout the SDLC |
| Texte |  Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.
The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.ツ?
The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released. ツ?
Previous AppSec requirements ??? like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) ??? only focused on software development and lifecycle management principles for security in traditional payment software. But modern payment software is faster and more iterative, so it needs AppSec to be integrated and automated throughout the entire development lifecycle. The new SSF regulations expanded to include the new methodology and approach for validating modern software security as well as a separate secure software lifecycle qualification framework for vendors, so the PA-DSS will be retired at the end of October 2022.
What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the ???Acceptable Only for Pre-Existing Deployments??? tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.
A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company???s secure software development practices and shows the maturity of your program through the completion of a three-tier process.
To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know. |
| Envoyé | Oui |
| Condensat | 2022 about acceptable additional all also any application applications approach appsec are assessed assessment automated because before best blog both business but check code company completion compliance component confidentiality consideration controls council customer data dates deployments details determine developed development does dss end enrolling ensure entire everything evolving existing expanded experts expiry faster features first fits focused force framework from good great have help helps important improve include including indicate industry input integrated integrity iterative journey know laid last learn lifecycle like line list looks maintain management managing many map maturity mean meet methodology migrating migration modern more move must need needs new objective october offers one only order organizations out outline outlined outlining part payment pci platforms post practices pre previous principles procedures process product program protect published qualification recent recognizes referred regulations released remain requirements retired right sdlc secure security separate serve sff shows size slc software specific ssc ssf ssf: sstf stakeholders standard standards start steps tab taken task those three through throughout tier traditional transactions turn under until updates validated validating vendors veracode verified way well what which will within year your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.