What is PCI Security Source Code Review?
PCI DSS requirement 6.3 details that organisations must "Develop software applications(internal and external, and including web based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices. Incorporate information security throughout the software development life cycle."
PCI DSS requirement 6.3.2 stipulates that organisations must also perform a "Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability."
PCI security source code review provides a deep analysis of software source code to search for accidental and malicious inbuilt security weaknesses.
PCI security source code review is used by clients requiring compliance with PCI DSS and with custom applications within the cardholder data environment.
A PCI security source code review enables a scrutiny of application code to detect accidental security vulnerabilities and deliberate application backdoors. The code review is more exhaustive than a PCI web application penetration test and can be used, for example, to efficiently discover all instances of SQL injection and XSS and other certain other vulnerabilities in a given code set.
Overview of our service
Our PCI security source code reviews are conducted at a client's site or remotely from one of our test centres using an on-site appliance. During a remote PCI source code review the source code remains in the client's control on the client premises and is analysed remotely by a qualified Security Test Engineer using the source code review toolset on the on-site appliance.
A hybrid approach to PCI source code reviews blends automated scanning with intelligent human analysis. We use a combination of in-house developed and commercial tools:
- Plynt custom scripts (a series of perl, grep and regex scripts)
- Static code analyzers (source code scanners)
- Commercial tools, e.g. HP WebInspect
- Process, File and registry usage monitors
As part of this service, we benchmark web applications against the globally accepted software security standards. See Web Application Security Certification.
Key service attributes
The hybrid PCI security source code review technique has been acknowledged as an efficient and innovative approach to code reviews.
- Greater test coverage through use of automated scripts to analyse the entire code base
- Business logic flaws and custom application backdoors detected
- Proprietary scripts are developed, customised and extended for each application and programming style
- Custom automated scripts used to identify suspicious code means greater efficiency
- Zero false positive findings, as human intelligence is used to verify each finding
- Rapidly changing applications are tested efficiently, regularly and cost effectively using differential source code review techniques
What you receive
The results of the tests are presented logically and clearly and are provided through an online secure portal (also downloadable as a PDF). The test report includes the following details:
- Executive summary
- Regulation compliance
- Vulnerability graph
- Detailed vulnerabilities
- Detailed steps
- Vulnerable code
- Solution
- Further reading
- Observations
- Title
- Description
- Solution
- Test plan
- Interpreting risk ratings
- Mitigation tracker
- Plynt Certification Criteria compliance
- OWASP Top 10
- PCI DSS compliance
- Secure coding guidelines
The reports provide a view of the findings ranked by risk level, helping you prioritise on the areas of greatest risk. Clear guidance and concise solutions are included to help you quickly eliminate all vulnerabilities found.
What to do next
Contact us on 0844 488 0963, email us at info@securityalliance.co.uk or complete our Enquiry Form to discuss requirements, get an online demonstration, request a sample report or arrange a meeting.