Application security is a critical yet often overlooked element for organizations seeking to be PCI-compliant. Application-layer attacks compromise the flow and processing of data from within the application, leading to unauthorized access to sensitive data and more. Identifying and remediating vulnerabilities as applications are being developed and tested, and mitigating (instead of wrapping around them) them for applications that are in production, is the most effective way to reduce these risks. Through its unique capability of automate and expedite the remediation of application vulnerabilities, Lucent Sky AVM can help organizations achieve PCI-compliance more efficiently.
Lucent Sky AVM PCI DSS matrix
The following section has a matrix of all of the PCI DSS requirements that Lucent Sky AVM covers, as well as guidance for assessors who may be evaluating the use of it for compliance. In some cases, Lucent Sky AVM can be used to justify compliance (as in, to verify that accounts with blank passwords do not exist). The comments and guidance only apply to in-scope applications and systems. The descriptions have been edited for brevity; the PCI Security Standards Council publishes the full version of PCI DSS on their website. Assessors should review specific contracted services in conjunction with the in-scope applications to understand which elements may be used to justify compliance with PCI DSS or other security standards.
PCI DSS version 4.0.1 requirements
| PCI requirement | Lucent Sky AVM | Assessor guidance |
|---|---|---|
| 2.2.6 — System security parameters are configured to prevent misuse. | (A) Lucent Sky AVM can scan its targets to find configurations that would be deemed insecure. For example, it can look for insecure handing of information or connections to other systems or applications that use insecure protocols. | Lucent Sky AVM can be used in support of this requirement and should be deployed as part of the go-live process. |
| 3.3 — Sensitive authentication data (SAD) is not stored after authorization | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is being stored. Issues that may result in sensitive authentication data storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews to ensure that there are no business process rules that may enable storage in certain situations after authorization. |
| 3.4 — Access to displays of full PAN and ability to copy PAN is restricted. | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is stored in an insecure manner. Issues that may result in displays of full PAN are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| 3.5 — Primary account number (PAN) is secured wherever it is stored. | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is stored in an insecure manner. Issues that may result in insecure PAN storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| 3.6 — Cryptographic keys used to protect stored account data are secured. | (E) Lucent Sky AVM analyzes situations whereby cryptographic keys are not stored securely. Insecure storage will be detected and highlighted for the developer to address. | In the case that crypto key generation is required, Lucent Sky AVM will help ensure that the code generating those keys uses methods to generate strong keys. |
| 4.2.1 — Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | (E) Lucent Sky AVM can detect usage of insecure cryptographic algorithms and protocols in the source code. It can be used for those applications that rely on software controls to enforce secure protocols and encryption. It will identify situations that could be considered risky and flag them for follow-up. | Firms can use Lucent Sky AVM in conjunction with encryption tools to ensure applications are not relying on insecure protocols or algorithms. The absence of strong cryptography at the source-code or application layer does not conclude the absence of it for the system. For example, mitigation may be applied for the entire system through a hardware-based control, which encrypts/decrypts all data leaving/entering the system. |
| 4.2.2 — PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. | (E) Lucent Sky AVM maps how data flows throughout an application and looks for possible disclosure of sensitive information such as passwords, credit card numbers, and SSNs. This data can ultimately find its way to a file system for storage, system console, printers etc. where it can be compromised. | As data flows through the various functions in an application, certain interactions could lead to data disclosure over these messaging systems. Lucent Sky AVM can help ensure that data is not transmitted over end-user messaging technologies as part of the logic flow within an application. |
| 6.1 — Processes and mechanisms for developing and maintaining secure systems and software are defined and understood. | (A) Lucent Sky AVM can be used to identify vulnerabilities in the source code, libraries, and configurations before applications enter production. | Lucent Sky AVM should be used to examine application code in its entirety before it is pushed to production. Processes should be put in place to ensure application security tools are applied consistently. |
| 6.2 — Bespoke and custom software are developed securely. | (A) Lucent Sky AVM supports this requirement by reviewing the source code for vulnerabilities that would violate PCI DSS or other security frameworks. | Lucent Sky AVM, when used in conjunction with other secure development practices, can be used to identify vulnerabilities as a developer writes code, thus preventing them from showing up in production environments. It demonstrates compliance with the requirement by checking code against various standards and security best practices. |
| 6.3 — Security vulnerabilities are identified and addressed. | (A) Lucent Sky AVM scans source code and binary files to identify unknown vulnerabilities, and scans dependencies to identify known vulnerabilities. All vulnerabilities will be flagged for follow-up and remediation advice provided. It helps developers not introduce vulnerabilities into their source code before it is committed back to the main repository. Finding and fixing vulnerabilities early reduced subsequent tracking, remediation, and re-testing. | Lucent Sky AVM is used to scan pre-production source code, binary files, and dependencies to satisfy this requirement. Exceptions should be reviewed, patches deployed, and rescanned to verify the problems are fixed. Removing vulnerabilities early is far more efficient than later in the lifecycle. Vulnerabilities can be resolved directly in the application or externally through additional controls. Vulnerabilities may exist due to lack of access to third-party code, because the vulnerability has not yet been remediated, or because new attack methods have created a new vulnerability. |
| 6.4 — Public-facing web applications are protected against attacks. | (A) Outputs from Lucent Sky AVM include Instant Fixes, production-ready code segments that replace vulnerable code and remediate the underlying vulnerabilities. These Instant Fixes uses security mechanisms built in the application servers as well as industry-standard security libraries, or enterprise security libraries chosen by the firm. Lucent Sky AVM identifies vulnerable script loading practices such as loading scripts over insecure connections or missing integrity checks. Lucent Sky AVM can also invetory of scripts used by an application. | Firms using these technologies need to be explicit in where and how they are deployed for security and compliance purposes. For example, while Instant Fixes are very effective to remediating vulnerabilities resulted from insecure implementation (such as XSS and SQL injection), only a small number of vulnerabilities resulted from insecure design (such as using a weak encryption algorithm) can be remediated through Instant Fixes. Additionally, firms using Instant Fixes to deploy enterprise security libraries should demonstrate the security and compliance for those enterprise security libraries used. |
| 7.2.2 — Access is assigned to users, including privileged users, based on job classification and function and least privileges necessary to perform job responsibilities | (E) Some programming APIs provide excessive privileges, which could lead to a failure to restrict certain functions to a user ID. Lucent Sky AVM can detect and alert on the usage of these APIs. | Most software relies on third-party APIs for functionality. Lucent Sky AVM will help ensure that those APIs are properly restricted to programmatically enable compliance to this requirement. |
| 7.3 — Access to system components and data is managed via an access control system(s). | (E) Lucent Sky AVM identifies code that may override, weaken, or be vulnerable in ways that reduces the assumed level of access control in an application. | Lucent Sky AVM should be used to help detect software vulnerabilities that could lead to weakened access control. |
| 8.2.8 — If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. | (E) Lucent Sky AVM will test session timeouts in applications to determine if this requirement is met. | Leveraging these tools adds an extra layer of security to your environment by ensuring that the application times out even if the terminal does not. |
| 8.3.2 — Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. | (E) Lucent Sky AVM can detect the misuse of cryptographic APIs that detect poor key management and stored passwords. It can identify storing sensitive information in clear text and storing sensitive information in storage locations that do not have strong crypto. | Weak cryptographic usage can spring from misconfiguration or outdated code. Lucent Sky AVM validates that the application uses cryptographic code properly. |
| 10.3 — Audit logs are protected from destruction and unauthorized modifications. | (E) Lucent Sky AVM can detect software issues that may allow log-forging attacks to be successful, which may allow unauthorized modification to occur. | Log integrity is critical if you need to use those logs to find a breach or an insider. An attack that modifies the audit trail can cover the tracks of an attacker. |
| 11.3 — External and internal vulnerabilities are regularly identified, prioritized, and addressed. | (A) Lucent Sky AVM can be used to identify vulnerabilities in the source code, libraries, and configurations before applications enter production. | Lucent Sky AVM should be used to examine application code in its entirety before it is pushed to production. Processes should be put in place to ensure application security tools are applied consistently. |
| 11.4 — External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected. | (A) As a potential compensating control, Lucent Sky AVM can be considered a valid method to meet this requirement as well, as long as all of the code the application relies on is included in the scan. | External penetration testing firms may use Lucent Sky AVM to satisfy this requirement. Assessors should review how the tool is used in support of these efforts to ensure its completeness. |
| 12.3 — Risks to the cardholder data environment are formally identified, evaluated, and managed. | (E) While the products here are not risk-assessment tools, they can all be used in support of a risk-assessment methodology. Lucent Sky AVM have the ability to show risk levels of specific vulnerabilities and exploit events. The results should feed into your risk-assessment process. | Outputs from Lucent Sky AVM should be incorporated into the risk-assessment process that the firm uses for this requirement. |
(A) Addresses the PCI DSS requirement. (E) Evidence from the product can be used to demonstrate PCI DSS compliance.
Additional Guidance for Assessors
- The outputs from Lucent Sky AVM include the serial number and version number of the instance(s) used to generate the outputs, as well as the time the outputs were generated.
- The outputs from Lucent Sky AVM include the rule package and other settings used to generate the outputs. The rule packages and settings used should be in compliance with relevant regulations and standards.
- The outputs from Lucent Sky AVM, when in the form of HTML or XML reports, are cryptographically signed and can be validated for authenticity on the Lucent Sky Report Validation website.
- Lucent Sky AVM receives major updates semi-annually and minor updates monthly. You can verify the outputs were generated by a recent version of Lucent Sky AVM by matching the release information on the Lucent Sky Docs website.
About Lucent Sky AVM
Lucent Sky AVM accelerates and scales the identification and remediation of common categories of application vulnerabilities, such as those in OWASP Top 10 and PCI DSS. It is compatible with .NET, ASP, Android, C/C++, Go, iOS, Java, PHP, Python, Ruby, Rust, Visual Studio applications, as well as static websites and many cross-framework languages and data interchange languages. Lucent Sky AVM is accessible through a web interface, IDE plugins, CLI, and API, and integrates with most common ALM and CI systems.