Requirement 6: Develop and Maintain Secure Systems and Applications

From the PCI DSS:

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

PCI DSS Requirement

How Requirement is Addressed with EFT Server

6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.

The latest version of EFT Server is always available at http://www.globalscape.com/support/eft.aspx.

6.2 Establish a process to identify newly discovered security vulnerabilities.

GlobalSCAPE notifies its customers via e-mail if a security vulnerability or exploit patch is available for download.

6.3 - 6.3.7 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle.

This requirement and sub-requirements relate to policies and procedures for deploying applications and patches from testing through production.

 

6.4.4 Back-out procedures

Always back-up EFT Server’s configuration data for disaster recovery and change-control best practices.

6.5 - 6.5.9 Develop all web applications based on secure coding guidelines, such as Open Web Application Security Project Guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes.

EFT Server is constantly evaluated and tested for security vulnerabilities and exploits. Any problems found are immediately remediated and communicated to our customers.