IT Governance, the fast-growing cyber security services provider and a PCI QSA company, has announced that senior consultant and QSA Geraint Williams will deliver a talk at the OWASP AppSec Research 2014 conference in Cambridge in June.
Williams’s presentation will examine the best practices in developing bespoke or custom written applications for use within the cardholder data environment of the Payment Card Industry Data Security Standard (PCI DSS).
Geraint Williams commented: “I am delighted to be given the opportunity to speak at this very prestigious conference. The objective of my talk is to inform those who are developing applications of the PCI DSS requirements, review the testing procedures that an auditor would use to examine compliance with the requirements, and highlight the evidence the auditor will be expecting to collect to prove the requirements are being met continually. The purpose is to help them develop applications securely to the requirements.”
Williams’s talk will cover:
• Secure software development lifecycle practices that ensure the inclusion of security during the requirements definition, design, analysis and testing phases of software development.
• Requiring developers to understand how cardholder data is handled in memory, and how modern malware will scrape memory to retrieve sensitive data.
• The use of separate development, testing and production environments, including separation of duties for developers, testers and production administrators.
• The need to remove test account credentials and test data from an application before it is released to the production environment.
Prohibition of the use of ‘live’ data for testing or development purposes.
• The use of change control mechanisms to ensure all changes to system components are reviewed and authorised.
• Software developers are trained in secure coding techniques and develop applications on secure coding guidelines.
• The testing of applications to ensure they do not suffer from known vulnerabilities.
Protecting public-facing web applications against known attacks.
Attendees can register for the OWASP AppSec Research 2014 here: http://2014.appsec.eu/
Geraint Williams is a PCI Qualified Security Assessor and is leading the PCI DSS and pen testing team at IT Governance. More information on PCI DSS compliance can be obtained from IT Governance’s website at: www.itgovernance.co.uk/pci_dss.aspx.