IMPORTANT: Secure Code Warrior is NOT a compliance expert or consultant. The below information is based on the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures released in May 2018.
PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. It applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Requirement #6 is to develop and maintain secure systems and applications.
Secure Code Warrior assists with meeting requirement 6.5 of the standard: "address common coding vulnerabilities in software-development processes"
- Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
- Develop applications based on secure coding guidelines.
The testing procedures of the auditor could include:
- Examining software-development policies and procedures to verify that up-to-date training in secure coding techniques is required for developers at least annually, based on industry best practices and guidance.
- Examining records of training to verify that software developers receive up-to-date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities.
- Verifying that processes are in place to protect applications from, at a minimum, the list of vulnerabilities in the standard
Based on the verbatim language from the standard, customers have used Secure Code Warrior to provide evidence of compliance with this section of the PCI DSS in several ways.
- Used Tournament Mode and ran team sessions with typical OWASP Top 10 vulnerabilities.
- Used Training Mode to have developers focus on specific common weaknesses and used the metrics reporting to provide records
- Used Assessment Mode to not only show evidence of training but also show evidence of assessing the skills of the developer