DZone
Open Source Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Open Source Zone > Hygiene for Open Source Software Is Now a PCI Requirement

Hygiene for Open Source Software Is Now a PCI Requirement

With security at the forefront of both consumers' and developers' minds, this new standard from PCI provides regulations for open source security and governance.

Matt Howard user avatar by
Matt Howard
·
Feb. 25, 19 · Open Source Zone · News
Like (2)
Save
Tweet
4.20K Views

Join the DZone community and get the full member experience.

Join For Free

As we said last year, the software industry is failing to protect the public from data theft and misuse, motivating government officials, associations and third-party standards groups to step in and put policies and regulations into place.

One such organization that has long been working to help make electronic payments safer and more secure is the PCI Security Standards Council. Last month, the association introduced an important new software security standard, the PCI Secure Software Standards and the PCI Secure Software Lifecycle (Secure SLC) Standard.

What exactly does the new standard mean? Why should anyone care?

The new standard requires organizations to govern their use of open source software, and it states that any application utilized as part of the payment process, must be secure by design. Here at Sonatype, we know the incredible power of open source software development when it is done within a properly-governed environment. We also understand the significant risks of open source software development when it is not properly governed. Furthermore, we know that with proper governance, cyber attacks targeting open source vulnerabilities are easily prevented.

PCI's new Secure SLC outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.

Let me break down exactly what PCI says when it comes to open source governance and managing the software supply chain.

It notes that threats to the software and weaknesses within its design must be continuously identified and assessed. Specifically, when it comes to the use of open source components and third-party libraries organizations are responsible for ensuring they, as well as any of their vendors, have:

  1. An up-to-date inventory of open-source components utilized in the software
  2. A process for identifying known vulnerabilities within open source components
  3. 360-degreee monitoring of open source components throughout the SDLC
  4. A policy and process to immediately remediate vulnerabilities as they become known

To effectively utilize open source components at scale, organizations must generate a software bill of materials (SBOM) so they can easily track and trace the location of every single component embedded within their production software applications.

Indeed, having a SBOM is the only way to immediately assess/remediate exposure every time new open source vulnerabilities are publicly disclosed — and, from what I can tell, it's a very straightforward way to comply with the new PCI standard.

So what next? Try our free Nexus Vulnerability Scanner to see for yourself how easy it is to comply with PCI's new Secure SLC standard.

Open source Payment card industry Software development Open-source software Requirement

Published at DZone with permission of Matt Howard, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Progressive Web Apps vs Native Apps: Differences and Similarities
  • Top 7 Features in Jakarta EE 10 Release
  • Migrating Legacy Applications and Services to Low Code
  • When Writing Code Isn't Enough: Citizen Development and the Developer Experience

Comments

Open Source Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo