The week after next OWASP AppSec EU begins in Athens where I am speaking. During my presentation I will discuss the newly mandatory requirement 6.2 in PCI DSS relating to ranking of vulnerabilities, with special emphasis on ranking the severity of vulnerabilities in software applications.
Requirement 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
In Tricolour Alphanumerical Spaghetti I will also describe alternative ways of meeting PCI DSS v2.0 Requirement 6.2 and which is a mandatory requirement from 30th June tomorrow, previously just being considered a best practice. I will discuss risk ranking schemes and how to develop a method for evaluating vulnerabilities and assigning a risk rating relevant to your own specific environment and business needs.
PCI DSS requirement 6.2 influences other requirements where the prioritisation of vulnerabilities are referenced:
- 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
- 6.5.6 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: ... All "High" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
- 10.4 Using time synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
- 11.2.1 Perform quarterly internal vulnerability scans.
- 11.2.3 Perform internal and external scans after any significant change.
So, I am hoping it will be of use to those with PCI DSS obligations, as well as to organisations who simply want to know what the severity rating of a vulnerability, flaw, fault or weakness means. The presentation is being given at 15:20 hrs on Thursday 12th in the "Builders" track.
Immediately prior to the conference there are training courses. There are still some places left on my course Application Attack Detection & Response — A Hands-on Planning Workshop being held on Tuesday 10th July. This will be a highly interactive day with generous learning opportunities. Last time we did the course, the participants really enjoyed it and gave great feedback.
If you are going for the conference, why not take the opportunity to receive some training. On the next day, Wednesday, you could also register for the training course Elite Web Defense — How to Build Robust and Secure Web Applications being run by the excellent Jim Manico and Eoin Keary. Register for the training and conference here.
Posted on: 29 June 2012 at 08:25 hrs