VM-14—Code Security Check: Cardholder Data Environment

>Control Description

Where applicable, security testing performed prior to releasing code into production includes the following: • code injection • buffer overflows • insecure cryptographic storage • insecure communications • improper error handling • high-risk vulnerabilities • cross-site scripting • improper access control • cross-site request forgery • broken authentication session management

Theme

Process

Type

Detective

Policy/Standard

Secure Development Lifecycle Policy

>Implementation Guidance

1. Ensure a process has been defined and documented for performing source code check for vulnerabilities. 2. Ensure the following aspects are covered as part of the testing: • code injection • buffer overflows • insecure cryptographic storage • insecure communications • improper error handling • high-risk vulnerabilities • cross-site scripting • improper access control • cross-site request forgery • broken authentication session management 3. Ensure all vulnerabilities are tracked and resolved as per organization's SLA.

>Testing Procedure

1. Inspect and validate whether a process has been defined and documented for performing source code check for vulnerabilities. 2. Validate for a sample scan whether the following aspects were covered as part of the testing: • code injection • buffer overflows • insecure cryptographic storage • insecure communications • improper error handling • high-risk vulnerabilities • cross-site scripting • improper access control • cross-site request forgery • broken authentication session management 3. For a sample source code vulnerability validate that it was tracked and resolved per SLA.