5.2 Develop all web payment applications (internal and external, and including web administrative access to product) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include:
[ul]
[li] 5.2.1 Cross-site scripting (XSS) (validate all parameters before inclusion).[/li][li] 5.2.2 Injection flaws, particularly SQL injection (validate input to verify user data cannot modify meaning of commands and queries). Also consider LDAP and Xpath injection flaws, as well as other injection flaws.[/li][li] 5.2.3 Malicious file execution (validate input to verify application does not accept filenames or files from users)[/li][li] 5.2.4 Insecure direct object references (do not expose internal object references to users).[/li][li] 5.2.5 Cross-site request forgery (CSRF) (do not rely on authorization credentials and tokens automatically submitted by browsers).[/li][li] 5.2.6 Information leakage and improper error handling (do not leak information via error messages or other means)[/li][li] 5.2.7 Broken authentication and session management (properly authenticate users and protect account credentials and session tokens).[/li][li] 5.2.8 Insecure cryptographic storage (prevent cryptographic flaws)[/li][li] 5.2.9 Insecure communications (properly encrypt all authenticated and sensitive communications)[/li][li] 5.2.10 Failure to restrict URL access (consistently enforce access control in presentation layer and business logic for all URLs).[/li][/ul]
PCI Data Security Standard Requirement 6.5
Testing Procedures:
5.2.a Obtain and review software development processes for any web-based payment applications (internal and external, and including web-administrative access to product). Verify the process includes training in secure coding techniques for developers, and is based on guidance such as the OWASP Guide ( http://www.owasp.org ). Interview a sample of developers and obtain evidence that they are knowledgeable in secure coding techniques.
5.2.b For web payment applications included in review, verify that the payment applications are not vulnerable to common coding vulnerabilities by performing manual or automated penetration testing that specifically attempts to exploit each of the following:
[ul]
[li]5.2.1 Cross-site scripting (XSS).[/li][li]5.2.2 Injection flaws, particularly SQL injection[/li][li]5.2.3 Malicious file execution[/li][li]5.2.4 Insecure direct object references[/li][li]5.2.5 Cross-site request forgery (CSRF).[/li][li]5.2.6 Information leakage and improper error handling.[/li][li]5.2.7 Broken authentication and session management[/li][li]5.2.8 Insecure cryptographic storage[/li][li]5.2.9 Insecure communications.[/li][li]5.2.10 Failure to restrict URL access.[/li][/ul]