DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
11 Monitoring and Observability Tools for 2023
Learn more
  1. DZone
  2. Culture and Methodologies
  3. Agile
  4. Hygiene for Open Source Software Is Now a PCI Requirement

Hygiene for Open Source Software Is Now a PCI Requirement

With security at the forefront of both consumers' and developers' minds, this new standard from PCI provides regulations for open source security and governance.

Matt Howard user avatar by
Matt Howard
·
Feb. 25, 19 · News
Like (2)
Save
Tweet
Share
4.35K Views

Join the DZone community and get the full member experience.

Join For Free

As we said last year, the software industry is failing to protect the public from data theft and misuse, motivating government officials, associations and third-party standards groups to step in and put policies and regulations into place.

One such organization that has long been working to help make electronic payments safer and more secure is the PCI Security Standards Council. Last month, the association introduced an important new software security standard, the PCI Secure Software Standards and the PCI Secure Software Lifecycle (Secure SLC) Standard.

What exactly does the new standard mean? Why should anyone care?

The new standard requires organizations to govern their use of open source software, and it states that any application utilized as part of the payment process, must be secure by design. Here at Sonatype, we know the incredible power of open source software development when it is done within a properly-governed environment. We also understand the significant risks of open source software development when it is not properly governed. Furthermore, we know that with proper governance, cyber attacks targeting open source vulnerabilities are easily prevented.

PCI's new Secure SLC outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.

Let me break down exactly what PCI says when it comes to open source governance and managing the software supply chain.

It notes that threats to the software and weaknesses within its design must be continuously identified and assessed. Specifically, when it comes to the use of open source components and third-party libraries organizations are responsible for ensuring they, as well as any of their vendors, have:

  1. An up-to-date inventory of open-source components utilized in the software
  2. A process for identifying known vulnerabilities within open source components
  3. 360-degreee monitoring of open source components throughout the SDLC
  4. A policy and process to immediately remediate vulnerabilities as they become known

To effectively utilize open source components at scale, organizations must generate a software bill of materials (SBOM) so they can easily track and trace the location of every single component embedded within their production software applications.

Indeed, having a SBOM is the only way to immediately assess/remediate exposure every time new open source vulnerabilities are publicly disclosed — and, from what I can tell, it's a very straightforward way to comply with the new PCI standard.

So what next? Try our free Nexus Vulnerability Scanner to see for yourself how easy it is to comply with PCI's new Secure SLC standard.

Open source Payment card industry Software development Open-source software Requirement

Published at DZone with permission of Matt Howard, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Distributed Tracing: A Full Guide
  • Multi-Tenant Architecture for a SaaS Application on AWS
  • Microservices 101: Transactional Outbox and Inbox
  • Getting Started With Astro

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: