Different organisations have different industry and regulatory requirements for compliance.
For the Payment Card Industry (PCI), compliance with their Data Security Standards (DSS) means adhering to a highly-prescriptive technical standard, aimed at securing cardholder data and preventing payment card fraud.
Today I’m looking at how the OWASP Top 10 can help your organisation adopt security industry best practices and improve PCI DSS compliance.
What is the OWASP Top 10?
The OWASP Top 10 is a list of the ten most critical web application security risks, published by the Open Web Application Security Project (OWASP).
It represents a consensus among many of the world’s leading information security experts on the greatest security risks, determined by attack frequency and the size of their impact.
PCI DSS Compliance
PCI DSS compliance is not about passing a yearly audit to ensure that all of the right boxes are ticked when a PCI assessment is conducted – there’s no official certificate for compliance. Rather, it’s about making sure cardholder data is kept secure, by meeting all of its requirements.
Part of the PCI DSS requirements relate specifically to developing and maintaining secure systems and applications in order to protect cardholder data:
6.5 Address common coding vulnerabilities in software-development processes as follows:
- Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handles in memory.
- Develop applications based on secure coding guidelines.
Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures
Addressing common coding vulnerabilities is a key element your organisation needs to excel at, in order to achieve compliance. The OWASP Top 10 is a key resource for this; in fact, PCI DSS requirements 6.5.1 to 6.5.10 are directly based on the current OWASP Top 10 list.
How the OWASP Top 10 Can Improve Compliance
There are three main things your organisation can do to improve compliance with PCI DSS requirements:
1) Provide Security Training
Security training is a crucial first step to achieving compliance. For maximum efficacy, your development team should receive role- or language-specific training, as this will be more actionable for them than general security training.
The OWASP Top 10 is a valuable resource for security training as it improves awareness of the most critical vulnerabilities, which they can then address directly in their work.
2) Create a Framework to Simplify Application Security
As well as identifying security risks, the OWASP Top 10 provides guidance on how to avoid each of them. This creates a simple framework for organisations to follow to integrate awareness of security risks into the software development lifecycle (SDLC).
Adopting the guidance provided by the OWASP Top 10 is regarded as “the most effective first step towards changing the software development culture within your organisation into one that produces secure code”.
3) Stay Up-to-date
It is up to you to ensure that your organisation remains up to date with new vulnerabilities and threats as they emerge, and to incorporate appropriate measures into their secure coding practices. Therefore, the OWASP Top 10 is a key resource for up-to-date information, as changes to the Top 10 may mean that some of the requirements of the PCI DSS become outdated.
Discover an actionable, effective framework for improving your application security, and download our whitepaper below.
