RSS
Relevant Reads
FACT SHEET: Payment Card Industry Data Security Standard
Looks at areas of the PCI standard related to developing and maintaining secure software applications as addressed by Klocwork Insight. [...]
FACT SHEET: Klocwork Insight and Software Security
Achieving secure software with Klocwork Insight [...]
Solutions - PCI DSS - Payment Card Standard
Payment Card Industry Data Security Standard - PCI DSS
The PCI DSS standard is published by the PCI Security Standards Council and is a set of standards and best practices for protecting payment card holder data. The standard sets out a broad set of guidelines to proactively protect customer data - everything from secure networking, to secure development and design, vulnerability management, and access control.
Klocwork can assist in addressing areas of the standard as it relates to developing and maintaining secure software applications. Klocwork static source code analysis allows development teams creating applications that are subject to PCI DSS to implement a consistent, policy-based approach to ensuring that coding vulnerabilities are removed from the software.
There are three specific sections of the standard that Klocwork can directly address:
| PCI Compliance Requirements | Klocwork Support | |
| 6.3 | Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. |
Klocwork Insight Pro automates the detection of critical security vulnerabilities at the coding stage, system build/integration stage, and during pre-QA security audits. |
| 6.5 |
Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: 6.5.1 Unvalidated input6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross-site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL) injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management |
Klocwork Insight can detect hundreds of different security vulnerabilities in C, C++ and Java. For organizations deploying Klocwork for PCI DSS compliance purposes, all vulnerabilities are reported by Klocwork to developers, security managers, and auditors in a PCI-compatible format to allow easy tracking and reporting of an organization's performance against its PCI DSS compliance goals (click image below).
|
| 6.6 | Ensure that all web-facing applications are protected against known attacks. Recommended techniques for doing this include the use of source code analysis tools. |
Klocwork Insight is a static source code analysis tool used by over 500 organizations worldwide and is a proven solution for organizations that require a rigorous approach to writing more secure code. |
)
Klocwork's vulnerability analysis capabilities are built from advanced static code analysis technology combined with a large family of vulnerability checkers (kept current through our own research), as well as collaboration with the following security initiatives:
- National Institute of Science and Technology (NIST)
- Software Assurance Metrics and Tools Evaluation (SAMATE) offers a Reference Dataset that includes >1000 vulnerabilities and weaknesses in C/C++ and Java
- The entire SAMATE Reference Dataset is part of Klocwork's test suite with a >90% pass rate
- Department of Homeland Security (DHS)
- Common Weakness Enumeration (CWE) initiative to develop an extensive library of all known weaknesses in software code drawn from academic and industry sources
- Klocwork is a Phase 1 contributor to this initiative
- OWASP Top 10 support