Wednesday, December 29, 2010

Selecting a Coding Standard for PCI DSS

In “What About the Confused Deputy” I point out that PCI DSS requires industry best practices, information security, code reviews and secure coding practices be incorporated into an organization’s Software Development Life Cycle (SDLC). PCI DSS suggests using OWASP for web applications but it does not provide guidance for addressing custom applications.

What industry best practices and standards are appropriate for the development of custom applications? For secure coding practices, the first place I looked was the CERT Secure Coding Initiatives. CERT defines secure coding standards for several commonly used programming languages.

The clearest explanation of how to use CERT’s Secure Coding Standards is the document describing the MITRE CWE and CERT Secure Coding Standards. The Mitre Common Weakness Enumeration (CWE) is a measurable set of software weaknesses that includes categories for architectural, design, low level coding and design errors. 

The CWE includes different views of these software weaknesses. One view, CWE-734 enumerates the weaknesses addressed by the CERT C Secure Coding Standards. Adherence to the secure coding standard will avoid these weaknesses. CWE-734 also provides insight into weaknesses not addressed by the CERT C Secure Coding Standard. This insight can be used to identify weaknesses that may need to be addressed elsewhere in the SDLC.

The CWE also provides views for the OWASP Top Ten. See CWE-711, −629 and −809.

No comments:

Post a Comment