Published on January 6, 2014
PCI-DSS 3.0 Compliance with White Source Overview The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements. As part of PCI-DSS, organizations must develop and “maintain a vulnerability management program” when they develop and maintain secure systems and applications, including a “vulnerability management program”. (cf. Requirement 6) Requirement 6: Develop and maintain secure systems and application Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software. Importantly, as part of a vulnerability program, software vendors are required to ensure not only that their own code is not vulnerable, but also that open source libraries that are an integral part of their product are not likely to pose a security risk. White Source – a leading open source compliance and security management vendor – provides this service to both software vendors and their customers. We continuously monitor web vulnerability databases and notify software vendors and their customers when a vulnerability is discovered which directly affects their product, as well as when a fix is available. Who Must Comply According to Visa, all acquirers and issuers must comply, and must also ensure the compliance of their merchants and service providers who store, process, or transmit Visa account numbers. However, much of PCI is quite general and has evolved to become a golden standard for many organizations in other industries as well. Why White Source White Source helps software developers and their customers comply with Requirement 6 of the standard. Whereas most software vendors do a good job at controlling the quality and security of their own code, they often need help in the management of quickly growing body of open source libraries that are used by their developers to boost their own code. ©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software
White Source is the leading provider of open source license compliance and security management solutions. Specifically, White Source provides two main services related to PCI: 1. Proactively alert software developers whenever security vulnerabilities are discovered in specific open source libraries that are used within their products. 2. Proactively alert software vendors when a new version is released for an open source library they use, including reference to the vulnerabilities and other bugs that were fixed. In addition, White Source helps software vendors comply with open source licenses and regulations by continuously keeping track of all open source libraries used in each of their projects and product versions. Software vendors, as well as their customers, can use White Source to enforce an open source acceptance policy, including ensuring compliance with the requirements of specific licenses in a way that mitigates legal and business risks. White Source for PCI-DSS 3.0 White Source helps address primarily PCI-DSS security requirements Requirement 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install security patches within one month of release 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS - Based on industry standards and/or best practices - Incorporating information security throughout the software-development life cycle 6.4.5 Change control procedures for the implementation of security patches and software modifications White Source Solution Continuously monitor common security vulnerability databases Catalog CVEs according to severity: high, medium, low Match CVEs to open source libraries Identity CVEs that are relevant to open source libraries used in a specific software project and product version Proactively alert whenever a security vulnerability becomes known for a relevant open source library Proactively alert when a fix/patch is available, and continues to alert until it is installed Can be used to enforce compliance with open source security best practices by both internal software developers and external software vendors Agile approach makes it easy to incorporate best practices throughout the entire software development lifecycle Follows and documents all changes to open source libraries due to (1) new or changing functionality; (2) patches and upgrades; and (3) changes to the open source library itself, including especially addition of new dependencies. ©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
PCI-DSS 3.0 Compliance with White Source ... White Source is the leading provider of open source license compliance and security management solutions.
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad ...
PCI DSS 3.0 Compliance A Trend Micro White Paper | April 2014 How Trend Micro Cloud and Data Center Security Solutions Can Help
Securing Distributed Enterprise Networks for PCI DSS 3.0 Compliance | FORTINET White Paper 5 www.fortinet.com
... Payment Card Industry Data Security ... Supported Log & Data Sources; System ... Card Industry Data Security Standard 3.0 (PCI DSS) Compliance
... provides the essential PCI DSS compliance ... (Open Source ) OSSIM Overview; Learn ... Reporting Webcast PCI DSS v3.0: How to Adapt Your Compliance ...
Using Trend Micro’s loud & Data enter PCI DSS 3.0 ... achieve compliance with specific PCI DSS 3.0 ... transmission encryption by providing a source for
Drupal PCI Compliance White Paper Distributed Components! Every component between a customer’s browser window and the payment processor makes up the ...
Pci Dss 3.0. Articles, experts, ... PCI DSS Technical Project Manager at Bank of America, IT Infrastructure Project Manager at ACS XEROX Company, ...