Application security is a critical yet often overlooked element for organizations seeking to be PCI-compliant. Application-layer attacks compromise the flow and processing of data from within the application, leading to unauthorized access to sensitive data and more. Identifying and remediating vulnerabilities as applications are being developed and tested, and mitigating (instead of wrapping around them) them for applications that are in production, is the most effective way to reduce these risks. Through its unique capability of automate and expedite the remediation of application vulnerabilities, Lucent Sky AVM can help organizations achieve PCI-compliance more efficiently.
Lucent Sky AVM PCI DSS Matrix
The following section has a matrix of all of the PCI DSS requirements that Lucent Sky AVM covers, as well as guidance for assessors who may be evaluating the use of it for compliance. In some cases, Lucent Sky AVM can be used to justify compliance (as in, to verify that accounts with blank passwords do not exist). The comments and guidance only apply to in-scope applications and systems. The descriptions have been edited for brevity; the PCI Security Standards Council publishes the full version of PCI DSS on their website. Assessors should review specific contracted services in conjunction with the in-scope applications to understand which elements may be used to justify compliance with PCI DSS or other security standards.
PCI DSS version 4.0 requirements
| PCI requirement | Lucent Sky AVM | Assessor guidance |
|---|---|---|
| 2.2.6 — System security parameters are configured to prevent misuse. | (A) Lucent Sky AVM can scan its targets to find configurations that would be deemed insecure. For example, it can look for insecure handing of information or connections to other systems or applications that use insecure protocols. | Lucent Sky AVM can be used in support of this requirement and should be deployed as part of the go-live process. |
| 3.3 — Sensitive authentication data (SAD) is not stored after authorization | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is being stored. Issues that may result in sensitive authentication data storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews to ensure that there are no business process rules that may enable storage in certain situations after authorization. |
| 3.4 — Access to displays of full PAN and ability to copy PAN is restricted. | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is stored in an insecure manner. Issues that may result in displays of full PAN are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| 3.5 — Primary account number (PAN) is secured wherever it is stored. | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is stored in an insecure manner. Issues that may result in insecure PAN storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| 3.6 — Cryptographic keys used to protect stored account data are secured. | (E) Lucent Sky AVM analyzes situations whereby cryptographic keys are not stored securely. Insecure storage will be detected and highlighted for the developer to address. | In the case that crypto key generation is required, Lucent Sky AVM will help ensure that the code generating those keys uses methods to generate strong keys. |
| 4.2.1 — Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | (E) Lucent Sky AVM can detect usage of insecure cryptographic algorithms and protocols in the source code. It can be used for those applications that rely on software controls to enforce secure protocols and encryption. It will identify situations that could be considered risky and flag them for follow-up. | Firms can use Lucent Sky AVM in conjunction with encryption tools to ensure applications are not relying on insecure protocols or algorithms. The absence of strong cryptography at the source-code or application layer does not conclude the absence of it for the system. For example, mitigation may be applied for the entire system through a hardware-based control, which encrypts/decrypts all data leaving/entering the system. |
| 4.2.2 — PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. | (E) Lucent Sky AVM maps how data flows throughout an application and looks for possible disclosure of sensitive information such as passwords, credit card numbers, and SSNs. This data can ultimately find its way to a file system for storage, system console, printers etc. where it can be compromised. | As data flows through the various functions in an application, certain interactions could lead to data disclosure over these messaging systems. Lucent Sky AVM can help ensure that data is not transmitted over end-user messaging technologies as part of the logic flow within an application. |
| 6.1 — Processes and mechanisms for developing and maintaining secure systems and software are defined and understood. | (A) Lucent Sky AVM can be used to identify vulnerabilities in the source code, libraries, and configurations before applications enter production. | Lucent Sky AVM should be used to examine application code in its entirety before it is pushed to production. Processes should be put in place to ensure application security tools are applied consistently. |
| 6.2 — Bespoke and custom software are developed securely. | (A) Lucent Sky AVM supports this requirement by reviewing the source code for vulnerabilities that would violate PCI DSS or other security frameworks. | Lucent Sky AVM, when used in conjunction with other secure development practices, can be used to identify vulnerabilities as a developer writes code, thus preventing them from showing up in production environments. It demonstrates compliance with the requirement by checking code against various standards and security best practices. |
| 6.3.2 — Review custom code prior to release | (A) Lucent Sky AVM should be included in the go-live process for any custom code to help ensure that vulnerabilities are caught early. This process will augment existing code-review processes to bring scale to larger deployments. | Lucent Sky AVM can be used to support this requirement as part of a larger program for custom code review. In addition, any business logic code that is intended to implement security-like functionality must be reviewed manually by domain experts. |
| 6.3 — Security vulnerabilities are identified and addressed. | (A) Lucent Sky AVM scans source code to identify common coding vulnerabilities. All vulnerabilities will be flagged for follow-up and remediation advice provided. It helps developers not introduce vulnerabilities into their source code before it is committed back to the main repository. Finding and fixing vulnerabilities early reduced subsequent tracking, remediation, and re-testing. | Lucent Sky AVM is used to scan pre-production source code to satisfy this requirement. Exceptions should be reviewed, patches deployed, and rescanned to verify the problems are fixed. Removing vulnerabilities early is far more efficient than later in the lifecycle. Vulnerabilities can be resolved directly in the application or externally through additional controls. Vulnerabilities may exist due to lack of access to third-party code, because the vulnerability has not yet been remediated, or because new attack methods have created a new vulnerability. |
| 6.6 — Public-facing web applications are protected against attacks. | (A) Outputs from Lucent Sky AVM include Instant Fix, code segments that can be used to replace the vulnerable code and remediate the underlying vulnerabilities. These Instant Fixes uses security mechanisms built in the application servers as well as industry-standard security libraries, or enterprise security libraries chosen by the firm. | Firms using these technologies need to be explicit in where and how they are deployed for security and compliance purposes. For example, while Instant Fix is very effective to remediating vulnerabilities resulted from insecure implementation (such as XSS and SQL injection), only a small number of vulnerabilities resulted from insecure design (such as using a weak encryption algorithm) can be remediated through Instant Fixes. Additionally, firms using Instant Fixes to deploy enterprise security libraries should demonstrate the security and compliance for those enterprise security libraries used. |
| 7.2.2 — Access is assigned to users, including privileged users, based on job classification and function and least privileges necessary to perform job responsibilities | (E) Some programming APIs provide excessive privileges, which could lead to a failure to restrict certain functions to a user ID. Lucent Sky AVM can detect and alert on the usage of these APIs. | Most software relies on third-party APIs for functionality. Lucent Sky AVM will help ensure that those APIs are properly restricted to programmatically enable compliance to this requirement. |
| 7.3 — Access to system components and data is managed via an access control system(s). | (E) Lucent Sky AVM identifies code that may override, weaken, or be vulnerable in ways that reduces the assumed level of access control in an application. | Lucent Sky AVM should be used to help detect software vulnerabilities that could lead to weakened access control. |
| 8.2.8 — If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. | (E) Lucent Sky AVM will test session timeouts in applications to determine if this requirement is met. | Leveraging these tools adds an extra layer of security to your environment by ensuring that the application times out even if the terminal does not. |
| 8.3.2 — Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. | (E) Lucent Sky AVM can detect the misuse of cryptographic APIs that detect poor key management and stored passwords. It can identify storing sensitive information in clear text and storing sensitive information in storage locations that do not have strong crypto. | Weak cryptographic usage can spring from misconfiguration or outdated code. Lucent Sky AVM validates that the application uses cryptographic code properly. |
| 10.5.2 — Audit log files are protected to prevent modifications by individuals. | (E) Lucent Sky AVM can detect software issues that may allow log-forging attacks to be successful, which may allow unauthorized modification to occur. | Log integrity is critical if you need to use those logs to find a breach or an insider. An attack that modifies the audit trail can cover the tracks of an attacker. |
| 11.3 — External and internal vulnerabilities are regularly identified, prioritized, and addressed. | (A) Lucent Sky AVM can be used to identify vulnerabilities in the source code, libraries, and configurations before applications enter production. | Lucent Sky AVM should be used to examine application code in its entirety before it is pushed to production. Processes should be put in place to ensure application security tools are applied consistently. |
| 11.4 — External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected. | (A) As a potential compensating control, Lucent Sky AVM can be considered a valid method to meet this requirement as well, as long as all of the code the application relies on is included in the scan. | External penetration testing firms may use Lucent Sky AVM to satisfy this requirement. Assessors should review how the tool is used in support of these efforts to ensure its completeness. |
| 12.3 — Risks to the cardholder data environment are formally identified, evaluated, and managed. | (E) While the products here are not risk-assessment tools, they can all be used in support of a risk-assessment methodology. Lucent Sky AVM have the ability to show risk levels of specific vulnerabilities and exploit events. The results should feed into your risk-assessment process. | Outputs from Lucent Sky AVM should be incorporated into the risk-assessment process that the firm uses for this requirement. |
PCI DSS version 3.2.1 requirements
| PCI requirement | Lucent Sky AVM | Assessor guidance |
|---|---|---|
| 2.2.4 — Configure system security parameters to prevent misuse | (A) Lucent Sky AVM can scan its targets to find configurations that would be deemed insecure. For example, it can look for insecure handing of information or connections to other systems or applications that use insecure protocols. | Lucent Sky AVM can be used in support of this requirement and should be deployed as part of the go-live process. |
| 3.2 (and sub requirements) — Do not store sensitive authentication data after authorization | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is being stored. Issues that may result in sensitive authentication data storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews to ensure that there are no business process rules that may enable storage in certain situations after authorization. |
| 3.4 — Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs). | (E) Lucent Sky AVM analyzes a model of the source code and identifies potential locations in the code where sensitive information is stored in an insecure manner. Issues that may result in insecure PAN storage are highlighted for the developer to address. | Firms should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| 3.6.1 — Generation of strong cryptographic keys | (E) Lucent Sky AVM analyzes situations whereby cryptographic keys are generated by an application using APIs. Misuse will be detected and highlighted for the developer to address. | In the case that crypto key generation is required, Lucent Sky AVM will help ensure that the code generating those keys uses methods to generate strong keys. |
| 4.1 — Use strong cryptography and security protocols to safeguard sensitive data during transmission. | (E) Lucent Sky AVM can detect usage of insecure cryptographic algorithms and protocols in the source code. It can be used for those applications that rely on software controls to enforce secure protocols and encryption. It will identify situations that could be considered risky and flag them for follow-up. | Firms can use Lucent Sky AVM in conjunction with encryption tools to ensure applications are not relying on insecure protocols or algorithms. The absence of strong cryptography at the source-code or application layer does not conclude the absence of it for the system. For example, mitigation may be applied for the entire system through a hardware-based control, which encrypts/decrypts all data leaving/entering the system. |
| 4.2 — Never send unprotected PANs by end-user messaging technologies. | (E) Lucent Sky AVM maps how data flows throughout an application and looks for possible disclosure of sensitive information such as passwords, credit card numbers, and SSNs. This data can ultimately find its way to a file system for storage, system console, printers etc. where it can be compromised. | As data flows through the various functions in an application, certain interactions could lead to data disclosure over these messaging systems. Lucent Sky AVM can help ensure that data is not transmitted over end-user messaging technologies as part of the logic flow within an application. |
| 6.1 — Establish a process to identify security vulnerabilities | (A) Lucent Sky AVM can be used to identify vulnerabilities in the source code, libraries, and configurations before applications enter production. | Lucent Sky AVM should be used to examine application code in its entirety before it is pushed to production. Processes should be put in place to ensure application security tools are applied consistently. |
| 6.3 — Develop internal and external software applications securely | (A) Lucent Sky AVM supports this requirement by reviewing the source code for vulnerabilities that would violate PCI DSS or other security frameworks. | Lucent Sky AVM, when used in conjunction with other secure development practices, can be used to identify vulnerabilities as a developer writes code, thus preventing them from showing up in production environments. It demonstrates compliance with the requirement by checking code against various standards and security best practices. |
| 6.3.1 — Remove development, text and/or custom application accounts, user IDs, and passwords before applications become active. | (A) Lucent Sky AVM will scan for poor authentication methods, such as hard-coded or weak passwords, which could end up in a production application. | Lucent Sky AVM should be used in conjunction with other processes and methods, such as manual reviews of database entries, to help ensure that test or development credentials do not end up in deployed code. |
| 6.3.2 — Review custom code prior to release | (A) Lucent Sky AVM should be included in the go-live process for any custom code to help ensure that vulnerabilities are caught early. This process will augment existing code-review processes to bring scale to larger deployments. | Lucent Sky AVM can be used to support this requirement as part of a larger program for custom code review. In addition, any business logic code that is intended to implement security-like functionality must be reviewed manually by domain experts. |
| 6.5 — Address common coding vulnerabilities in software-development processes. | (A) Lucent Sky AVM scans source code to identify common coding vulnerabilities. All vulnerabilities will be flagged for follow-up and remediation advice provided. It helps developers not introduce vulnerabilities into their source code before it is committed back to the main repository. Finding and fixing vulnerabilities early reduced subsequent tracking, remediation, and re-testing. | Lucent Sky AVM is used to scan pre-production source code to satisfy this requirement. Exceptions should be reviewed, patches deployed, and rescanned to verify the problems are fixed. Removing vulnerabilities early is far more efficient than later in the lifecycle. Vulnerabilities can be resolved directly in the application or externally through additional controls. Vulnerabilities may exist due to lack of access to third-party code, because the vulnerability has not yet been remediated, or because new attack methods have created a new vulnerability. Review the configuration to ensure it is deployed on in-scope applications and protections are set to meet each of the requirements in 6.5. |
| 6.5.1 — Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP, and XPath injection flaws, as well as other injection flaws. | (A) Lucent Sky AVM scans through code to find potential injection flaws, and then provides the developer with guidance on how to address the vulnerability. It prevents injection flaws from getting into the source code repository by highlighting the issue in the IDE for the developer. | Injection flaws allow a hacker to inject a malicious query or other code, which can alter the logic flow and/or data query in the application. This can result in data loss or other unintended outcomes. Ideally, vulnerabilities should be removed early, during development and/or test. |
| 6.5.2 — Buffer overflows | (A) Lucent Sky AVM scans through code to find potential buffer overflow situations, and then provides the developer with guidance on how to address the vulnerability. Items found are highlighted for developers to address. | Buffer overflow occurs when a program, while writing data to a buffer, reads or writes past the buffer’s boundary, writing over adjacent memory. This causes errors to occur that usually end execution of the application in an unexpected way. Lucent Sky AVM helps you comply with this requirement by identifying potential buffer overflow so it may be corrected. |
| 6.5.3 — Insecure cryptographic storage | (E) Lucent Sky AVM finds situations where sensitive information is stored in locations without strong cryptography. | Cryptographic storage external to the application will not be discovered. Firms using this product should ensure a proper manual review of those controls. |
| 6.5.4 — Insecure communications | (A) Lucent Sky AVM scans source code to find insecure communications, and then provide the developer with guidance on how to address the vulnerability. Items found are highlighted for developers to address. | Insecure communication can happen in multiple areas of the application. Lucent Sky AVM will highlight obvious areas. However, security teams should also perform a manual review to ensure the data they consider sensitive is communicated securely. |
| 6.5.5 — Improper error handling | (A) Lucent Sky AVM scans source code to find poor error handling, and then provide the developer with guidance on how to address the vulnerability. | Proper error handling helps ensure that when things go wrong in an application, they go wrong safely and don’t give an attacker information about your application, or a method by which they can break in. Lucent Sky AVM can identify improper error handling for remediation. |
| 6.5.6 — All “high-risk” vulnerabilities identified in the vulnerability identification process | (A) Lucent Sky AVM scans through code to find all high-risk vulnerabilities, and then provides the developer with guidance on how to address the vulnerability. | Lucent Sky AVM prioritize vulnerabilities by the impact and probability of its risk. Be sure that high-risk vulnerabilities are remediated by developers or vendors who are responsible for the application’s source code. The product used is determined by the type of application and by the unique processes used by your enterprise to deploy it. Ideally, you should remove vulnerabilities early, during development and/or test. |
| 6.5.7 — Cross-site scripting (XSS) | (A) Lucent Sky AVM scans through code to find potential XSS flaws, and then provides the developer with guidance on how to address the vulnerability. | XSS enables attackers to inject script into Web pages causing them to behave in a different, potentially malicious way. Ideally, vulnerabilities should be removed early, during development and/or test. |
| 6.5.8 — Improper access control | (A) Lucent Sky AVM scans through code to find improper access controls, and then provides the developer with guidance on how to address the vulnerability. Items found are highlighted for developers to address. | Improper access control should be identified and removed early, during development and/or test. |
| 6.5.9 — Cross-site request forgery (CSRF) | (A) Lucent Sky AVM scans through code to find potential CSRF flaws, and then provides the developer with guidance on how to address the vulnerability. Items found are highlighted for developers to address. | In CSRF, malicious commands are transmitted from a user that the website trusts. Like XSS, it causes the Web application to behave in an unexpected way. CSRF should be identified and removed early, during development and/or test. |
| 6.5.10 — Broken authentication and session management | (A) Lucent Sky AVM scans through code to find potential authentication and session management flaws, and then provides the developer with guidance on how to address the vulnerability. | Firms using these products should ensure they are choosing the right tool for the right applications to maximize effectiveness. Ideally, vulnerabilities should be removed early, during development and/or test. |
| 6.6 — For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks. | (A) Outputs from Lucent Sky AVM include Instant Fix, code segments that can be used to replace the vulnerable code and remediate the underlying vulnerabilities. These Instant Fixes uses security mechanisms built in the application servers as well as industry-standard security libraries, or enterprise security libraries chosen by the firm. | Firms using these technologies need to be explicit in where and how they are deployed for security and compliance purposes. For example, while Instant Fix is very effective to remediating vulnerabilities resulted from insecure implementation (such as XSS and SQL injection), only a small number of vulnerabilities resulted from insecure design (such as using a weak encryption algorithm) can be remediated through Instant Fixes. |
| Additionally, firms using Instant Fixes to deploy enterprise security libraries should demonstrate the security and compliance for those enterprise security libraries used. | ||
| 7.1.2 — Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. | (E) Some programming APIs provide excessive privileges, which could lead to a failure to restrict certain functions to a user ID. Lucent Sky AVM can detect and alert on the usage of these APIs. | Most software relies on third-party APIs for functionality. Lucent Sky AVM will help ensure that those APIs are properly restricted to programmatically enable compliance to this requirement. |
| 7.2 — Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed. | (E) Lucent Sky AVM identifies code that may override, weaken, or be vulnerable in ways that reduces the assumed level of access control in an application. | Lucent Sky AVM should be used to help detect software vulnerabilities that could lead to weakened access control. |
| 8.1.8 — If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. | (E) Lucent Sky AVM will test session timeouts in applications to determine if this requirement is met. | Leveraging these tools adds an extra layer of security to your environment by ensuring that the application times out even if the terminal does not. |
| 8.2.1 — Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. | (E) Lucent Sky AVM can detect the misuse of cryptographic APIs that detect poor key management and stored passwords. It can identify storing sensitive information in clear text and storing sensitive information in storage locations that do not have strong crypto. | Weak cryptographic usage can spring from misconfiguration or outdated code. Lucent Sky AVM validates that the application uses cryptographic code properly. |
| 10.5.2 — Protect audit trail files from unauthorized modifications | (E) Lucent Sky AVM can detect software issues that may allow log-forging attacks to be successful, which may allow unauthorized modification to occur. | Log integrity is critical if you need to use those logs to find a breach or an insider. An attack that modifies the audit trail can cover the tracks of an attacker. |
| 11.3.1 — Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification. | (A) As a potential compensating control, Lucent Sky AVM can be considered a valid method to meet this requirement as well, as long as all of the code the application relies on is included in the scan. | External penetration testing firms may use Lucent Sky AVM to satisfy this requirement. Assessors should review how the tool is used in support of these efforts to ensure its completeness. |
| 11.3.2 — Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification. | (A) As a potential compensating control, Lucent Sky AVM can be considered a valid method to meet this requirement as well, as long as all of the code the application relies on is included in the scan. | Internal penetration testing groups may use Lucent Sky AVM to satisfy this requirement. Assessors should review how the tool is used in support of these efforts to ensure its completeness. |
| 12.2 — Implement a risk assessment process | (E) While the products here are not risk-assessment tools, they can all be used in support of a risk-assessment methodology. Lucent Sky AVM have the ability to show risk levels of specific vulnerabilities and exploit events. The results should feed into your risk-assessment process. | Outputs from Lucent Sky AVM should be incorporated into the risk-assessment process that the firm uses for this requirement. |
(E) Evidence from the product can be used to demonstrate PCI DSS compliance.
(A) Addresses the PCI DSS requirement.
Additional Guidance for Assessors
- The outputs from Lucent Sky AVM include the serial number and version number of the instance(s) used to generate the outputs, as well as the time the outputs were generated.
- The outputs from Lucent Sky AVM include the rule package and other settings used to generate the outputs. The rule packages and settings used should be in compliance with relevant regulations and standards.
- The outputs from Lucent Sky AVM, when in the form of HTML or XML reports, are cryptographically signed and can be validated for authenticity on the Lucent Sky Report Validation website.
- Lucent Sky AVM receives major updates semi-annually and minor updates monthly. You can verify the outputs were generated by a recent version of Lucent Sky AVM by matching the release information on the Lucent Sky Docs website.
About Lucent Sky AVM
Lucent Sky AVM accelerates and scales the identification and remediation of common categories of application vulnerabilities, such as those in OWASP Top 10 and PCI DSS. It is compatible with .NET, ASP, Android, C/C++, Go, iOS, JDK, PHP, Python, and Visual Basic applications, as well as static websites and most database systems. Lucent Sky AVM is accessible through a web interface, IDE plugins, CLI, and API, and integrates with most common ALM and CI systems.