29 June 2012

PCI DSS Requirement 6.2 and Severity Ranking Spaghetti

The week after next OWASP AppSec EU begins in Athens where I am speaking. During my presentation I will discuss the newly mandatory requirement 6.2 in PCI DSS relating to ranking of vulnerabilities, with special emphasis on ranking the severity of vulnerabilities in software applications.

Requirement 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

In Tricolour Alphanumerical Spaghetti I will also describe alternative ways of meeting PCI DSS v2.0 Requirement 6.2 and which is a mandatory requirement from 30th June tomorrow, previously just being considered a best practice. I will discuss risk ranking schemes and how to develop a method for evaluating vulnerabilities and assigning a risk rating relevant to your own specific environment and business needs.

PCI DSS requirement 6.2 influences other requirements where the prioritisation of vulnerabilities are referenced:

  • 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
  • 6.5.6 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: ... All "High" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
  • 10.4 Using time synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
  • 11.2.1 Perform quarterly internal vulnerability scans.
  • 11.2.3 Perform internal and external scans after any significant change.

So, I am hoping it will be of use to those with PCI DSS obligations, as well as to organisations who simply want to know what the severity rating of a vulnerability, flaw, fault or weakness means. The presentation is being given at 15:20 hrs on Thursday 12th in the "Builders" track.

Immediately prior to the conference there are training courses. There are still some places left on my course Application Attack Detection & Response — A Hands-on Planning Workshop being held on Tuesday 10th July. This will be a highly interactive day with generous learning opportunities. Last time we did the course, the participants really enjoyed it and gave great feedback.

If you are going for the conference, why not take the opportunity to receive some training. On the next day, Wednesday, you could also register for the training course Elite Web Defense — How to Build Robust and Secure Web Applications being run by the excellent Jim Manico and Eoin Keary. Register for the training and conference here.

Posted on: 29 June 2012 at 08:25 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
PCI DSS Requirement 6.2 and Severity Ranking Spaghetti
http://www.clerkendweller.com/2012/6/29/PCI-DSS-Requirement-62-and-Severity-Ranking-Spaghetti
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2012/6/29/PCI-DSS-Requirement-62-and-Severity-Ranking-Spaghetti
Requested by 50.16.132.180 on Wednesday, 19 June 2013 at 21:48 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2012-2013 clerkendweller.com