|
Not so fast...
If you read the full requirements:
6.3.7.a Obtain and review policies to confirm all
custom application code changes for _internal_applications_
must be reviewed (either using manual or automated
processes), as follows:
- Code changes are reviewed by individuals other
then the originating code author, and by
individuals who are knowledgeable in code review
techniques and secure coding practices.
- Appropriate corrections are implemented prior to
release.
- Code review results are reviewed and approved
by management prior to release.
6.3.7.b Obtain and review policies to confirm that all
custom application code changes for _web_applications_
must be reviewed (using either manual or automated
processes) as follows:
- Code changes are reviewed by individuals other
then the originating code author, and by
individuals who are knowledgeable in code review
techniques and secure coding practices.
- Code reviews ensure code is developed according
to secure coding guidelines such as the Open
Web Security Project Guide (see PCI DSS
Requirement 6.5).
- Appropriate corrections are implemented prior to
release.
- Code review results are reviewed and approved
by management prior to release
Note the requirement for a review of _internal_applications_ .
As it turns out, a review of a 5250 application is not too difficult.
Mainly what you end up looking for is, the use of dynamic SQL and the
display/change of sensitive data.
Charles
On Tue, Jan 27, 2009 at 11:21 AM, Dan Kimmel <dkimmel@xxxxxxxxxxxxxxx> wrote:
Kendall,
You would only need to look at RPG code that interfaces with the web and
that won't be much. Most of the security protection (and lack thereof)
is done before the RPG is invoked except in rare cases.
Dan Kimmel
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
KKinnear@xxxxxxxxxx
Sent: Tuesday, January 27, 2009 10:03 AM
To: Midrange Systems Technical Discussion
Subject: Re: Looking for information on PCI Code Security Reviews
Jim,
That still leads me back to my original question. When the referenced
document says:
---Quote-->
Properly implemented, one or more of these four alternatives could meet
the intent of Option 1 and provide the minimum level of protection
against common web application threats:
1. Manual review of application source code 2. Proper use of automated
application source code analyzer (scanning) tools .
.
.
Manual reviews/assessments may be performed by a qualified internal
resource or a qualified third party. In all cases, the individual(s)
must have the proper skills and experience to understand the source code
and/or web application, know how to evaluate each for vulnerabilities,
and understand the findings. Similarly, individuals using automated
tools must have the skills and knowledge to properly configure the tool
and test environment, use the tool, and evaluate the results.
<---End Quote
Are there any tools for System i to do the automated scanning of RPG
code related to security (and associated training) or training focused
at qualifying an individual for the manual review process?
My guess is that there is nothing specific to System i, which is what my
client is looking for. My recommendation will very likely be that they
look at moving those applications covered by PCI off the System i
because it will be simpler to fulfill the requirements of the regulatory
bodies.
Which will unfortunately end up with another System i decommissioned.
Kendall Kinnear
From:
"Jim Franz" <franz400@xxxxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
01/26/2009 09:33 PM
Subject:
Re: Looking for information on PCI Code Security Reviews
This is an explanation of the code review, from the PCI Security
Standards
Council (that wrote the
PCI requirements). It's not a 5 or 10 or even 30 word answer... it's a
several pages answer and that is what you have to read.
https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewa
lls_codereviews.pdf
btw - I wonder how many in our community of iSeries shops have no clue
as to the requirements ( entities that transmit, process, or store
payment card data) that is due this Oct and the consequences of inaction
... https://www.pcisecuritystandards.org/
Jim Franz
----- Original Message -----
From: <KKinnear@xxxxxxxxxx>
To: <MIDRANGE-L@xxxxxxxxxxxx>
Sent: Monday, January 26, 2009 10:42 AM
Subject: Looking for information on PCI Code Security Reviews
I've been inactive for awhile due to medical issues but I'm back and
fullyaround
involved again so I thought I'd turn to some of the best experts
for some help.concerning
I have a client looking for experience with or information
Codecode
Security Review processes related to System i and/or Infinum. The
Mastercard/Visa PCI requirements specify that when there is custom
that accesses credit card data someone trained in code security muston
review the code prior to production implementation. Any information
best practices or education specifically targeted at System i is
appreciated.
We disagree on the intrepretation of some of the wording. Everything
I'vemust
read says an organization that is trained in Code Security Review
audit the changes. That could be intrepreted to say that an outsidebe
organization must review the code. My client believes the code can
reviewed by someone else within the company not involved in thecorrect.
development project. Any ideas of which intrepretation might be
Thanks for any help!
Kendall Kinnear
Senior Systems Architect
KS2 Technologies, Inc
1020 Mustang Dr
Grapevine, TX 76051
Office: 817.310.1817
Fax: 817.310.1801
Mobile: 214.676.3146
email: KKinnear@xxxxxxxxxx
http://www.ks2inc.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
