Over the last several years, billions of people have been victims of data breaches. According to the digital security firm Positive Technologies in a recent USA Today article, in the months of April, May and June of 2018 alone, 765 million people fell victim to a breach or cyber attack to the tune of millions of dollars in losses. This is a 47% increase over the same period prior year.
Breaches and cyber attacks are by no means slowing down. The software industry has a role to play, and the PCI Security Standards Council as part of their PCI Security Framework (a collection of software security standards) has introduced the PCI Secure Software Standards and the PCI Secure Software Lifecycle (Secure SLC) Standard. The aim is to make electronic payments more secure by creating higher levels of security of payment software and ensuring that security is addressed throughout the entire software life-cycle. Initially, the standards impact vendors or providers of Payment Applications.
The new standard requires organizations to not just “keep an eye on” their Open Source Software (OSS) use, but it requires software companies to continuously identify and assess weaknesses within software applications. This includes the complete software supply chain. Specifically, the PCI Secure Software Requirements and Assessment Procedures provides a baseline of requirements with corresponding assessment procedures and guidance. This includes accounting for the entire code base, and detecting vulnerabilities in third-party, open source, or shared components and libraries. In addition to this enhanced governance, key security principles addressed in the Secure SLC Standard include threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates, and stakeholder communications.
Vulnerability and Software Composition Analysis solutions are key in addressing security and risk management. Options include initiating audit services to begin to get both a picture of what’s in your code and gain some control (PCI requires assessors be SSLC qualified), or investing in products like FlexNet Code Insight that will scan your code and look for vulnerabilities that could compromise your software and create major issues for you and your users.
Embark on the right path for you with several goals in mind:
- Create a consistent, repeatable process for software vulnerability and risk management
- Gain buy-in from critical stakeholders across the organization, including executives, developers, engineers, and legal
- Set and enforce policies for remediation
- Create a complete and accurate Bill of Materials for all your applications to meet the requirement of accounting for the entire code base
- Make open source scanning an ongoing best practice effort, whether you are engaging with audit services or implementing a Software Composition Analysis solution that is integrated into your existing Engineering process
Need to test the waters? Use a free code scanner for Java, NuGet, and NPM to begin to get a picture of where vulnerabilities might exist in your code.