6.2.3 Bespoke and custom software is reviewed prior to being released into production
Defined Approach Requirements
6.2.3 Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:
- Code reviews ensure code is developed according to secure coding guidelines.
- Code reviews look for both existing and emerging software vulnerabilities.
- Appropriate corrections are implemented prior to release.
Customized Approach Objective
Bespoke and custom software cannot be exploited via coding vulnerabilities.
Applicability Notes
This requirement for code reviews applies to all bespoke and custom software (both internal and public facing), as part of the system development lifecycle.
Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4.
Code reviews may be performed using either manual or automated processes, or a combination of both.
Defined Approach Testing Procedures
6.2.3.a Examine documented software development procedures and interview responsible personnel to verify that processes are defined that require all bespoke and custom software to be reviewed in accordance with all elements specified in this requirement.
6.2.3.b Examine evidence of changes to bespoke and custom software to verify that the code changes were reviewed in accordance with all elements specified in this requirement.
Purpose
Security vulnerabilities in bespoke and custom software are commonly exploited by malicious individuals to gain access to a network and compromise account data.
Vulnerable code is far more difficult and expensive to address after it has been deployed or released into production environments. Requiring a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures.
Good Practice
The following items should be considered for inclusion in code reviews:
- Searching for undocumented features (implant tools, backdoors).
- Confirming that software securely uses external components' functions (libraries, frameworks, APIs, etc.). For example, if a third-party library providing cryptographic functions is used, verify that it was integrated securely.
- Checking for correct use of logging to prevent sensitive data from getting into logs.
- Analysis of insecure code structures that may contain potential vulnerabilities related to common software attacks identified in Requirement 6.2.4.
- Checking the application's behavior to detect logical vulnerabilities.
Sub-Requirements
purpose
Address vulnerabilities for all system components and software, including bespoke and custom software.
compliance strategies
- Vulnerability scanning
- Patch management
typical policies
- Vulnerability Management Policy
common pitfalls
- Unpatched custom software
- Delayed remediation
type
Technical/Process Control
difficulty
High
key risks
- Persistent vulnerabilities
recommendations
- Integrate custom app scanning with enterprise vulnerability management
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy