× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Could have posted this also:

Note: This requirement for code reviews
applies to all custom code (both internal
and public-facing), as part of the system
development life cycle required by PCI
DSS Requirement 6.3. Code reviews can
be conducted by knowledgeable internal
personnel or third parties. Web
applications are also subject to additional
controls, if they are public facing, to
address ongoing threats and
vulnerabilities after implementation, as
defined at PCI DSS Requirement 6.6.


Charles

On Tue, Jan 27, 2009 at 12:28 PM, Charles Wilt <charles.wilt@xxxxxxxxx> wrote:
Not so fast...

If you read the full requirements:

6.3.7.a Obtain and review policies to confirm all
custom application code changes for _internal_applications_
must be reviewed (either using manual or automated
processes), as follows:
- Code changes are reviewed by individuals other
then the originating code author, and by
individuals who are knowledgeable in code review
techniques and secure coding practices.
- Appropriate corrections are implemented prior to
release.
- Code review results are reviewed and approved
by management prior to release.

6.3.7.b Obtain and review policies to confirm that all
custom application code changes for _web_applications_
must be reviewed (using either manual or automated
processes) as follows:
- Code changes are reviewed by individuals other
then the originating code author, and by
individuals who are knowledgeable in code review
techniques and secure coding practices.
- Code reviews ensure code is developed according
to secure coding guidelines such as the Open
Web Security Project Guide (see PCI DSS
Requirement 6.5).
- Appropriate corrections are implemented prior to
release.
- Code review results are reviewed and approved
by management prior to release

Note the requirement for a review of _internal_applications_ .

As it turns out, a review of a 5250 application is not too difficult.

Mainly what you end up looking for is, the use of dynamic SQL and the
display/change of sensitive data.


Charles



On Tue, Jan 27, 2009 at 11:21 AM, Dan Kimmel <dkimmel@xxxxxxxxxxxxxxx> wrote:
Kendall,

You would only need to look at RPG code that interfaces with the web and
that won't be much. Most of the security protection (and lack thereof)
is done before the RPG is invoked except in rare cases.

Dan Kimmel

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
KKinnear@xxxxxxxxxx
Sent: Tuesday, January 27, 2009 10:03 AM
To: Midrange Systems Technical Discussion
Subject: Re: Looking for information on PCI Code Security Reviews

Jim,

That still leads me back to my original question. When the referenced
document says:

---Quote-->
Properly implemented, one or more of these four alternatives could meet
the intent of Option 1 and provide the minimum level of protection
against common web application threats:

1. Manual review of application source code 2. Proper use of automated
application source code analyzer (scanning) tools .
.
.
Manual reviews/assessments may be performed by a qualified internal
resource or a qualified third party. In all cases, the individual(s)
must have the proper skills and experience to understand the source code
and/or web application, know how to evaluate each for vulnerabilities,
and understand the findings. Similarly, individuals using automated
tools must have the skills and knowledge to properly configure the tool
and test environment, use the tool, and evaluate the results.
<---End Quote

Are there any tools for System i to do the automated scanning of RPG
code related to security (and associated training) or training focused
at qualifying an individual for the manual review process?

My guess is that there is nothing specific to System i, which is what my
client is looking for. My recommendation will very likely be that they
look at moving those applications covered by PCI off the System i
because it will be simpler to fulfill the requirements of the regulatory
bodies.
Which will unfortunately end up with another System i decommissioned.

Kendall Kinnear



From:
"Jim Franz" <franz400@xxxxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
01/26/2009 09:33 PM
Subject:
Re: Looking for information on PCI Code Security Reviews



This is an explanation of the code review, from the PCI Security
Standards

Council (that wrote the
PCI requirements). It's not a 5 or 10 or even 30 word answer... it's a
several pages answer and that is what you have to read.

https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewa
lls_codereviews.pdf


btw - I wonder how many in our community of iSeries shops have no clue
as to the requirements ( entities that transmit, process, or store
payment card data) that is due this Oct and the consequences of inaction
... https://www.pcisecuritystandards.org/

Jim Franz

----- Original Message -----
From: <KKinnear@xxxxxxxxxx>
To: <MIDRANGE-L@xxxxxxxxxxxx>
Sent: Monday, January 26, 2009 10:42 AM
Subject: Looking for information on PCI Code Security Reviews


I've been inactive for awhile due to medical issues but I'm back and

fully
involved again so I thought I'd turn to some of the best experts
around
for some help.

I have a client looking for experience with or information
concerning
Code
Security Review processes related to System i and/or Infinum. The
Mastercard/Visa PCI requirements specify that when there is custom
code
that accesses credit card data someone trained in code security must
review the code prior to production implementation. Any information
on
best practices or education specifically targeted at System i is
appreciated.

We disagree on the intrepretation of some of the wording. Everything

I've
read says an organization that is trained in Code Security Review
must
audit the changes. That could be intrepreted to say that an outside
organization must review the code. My client believes the code can
be
reviewed by someone else within the company not involved in the
development project. Any ideas of which intrepretation might be
correct.

Thanks for any help!

Kendall Kinnear
Senior Systems Architect

KS2 Technologies, Inc
1020 Mustang Dr
Grapevine, TX 76051

Office: 817.310.1817
Fax: 817.310.1801
Mobile: 214.676.3146
email: KKinnear@xxxxxxxxxx

http://www.ks2inc.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.