|
Integrator Notes
On your servers you should ensure that the latest security patches have been applied.
When making changes to Multifront use the following industry best practices:
| • | Test of all security patches and system and software configuration changes before deployment |
| • | Separate development, test, and production environments |
| • | Separation of duties between development, test, and production environments |
| • | Production data (live PANs or Credit Card numbers) are not used for testing or development |
| • | Remove test data and accounts before production systems become active |
| • | Remove custom application accounts, usernames, and passwords before applications become active or are released to customers |
| • | Review custom code prior to release to production or customers in order to identify any potential coding vulnerability. |
Follow change control procedures for all system and software configuration changes. The procedures must include the following:
| • | Management sign-off by appropriate parties |
| • | Testing of operational functionality |
Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
| • | Broken access control (for example, malicious use of user IDs) |
| • | Broken authentication and session management (use of account credentials and session cookies) |
| • | Cross-site scripting (XSS) attacks |
| • | Injection flaws (for example, structured query language (SQL) injection) |
| • | Insecure storage (cryptographic or otherwise) |
| • | Security Misconfiguration |
| • | Insecure Direct Object References |
| • | Cross-Site Request Forgery (CSRF) |
| • | Failure to Restrict URL Access |
| • | Insufficient Transport Layer Protection |
| • | Unvalidated Redirects and Forwards |
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
| • | Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security |
| • | Install an application layer firewall in front of web-facing applications. Note that installing an application layer firewall is required per PCI-DSS Requirement 6.6. |
Further information on secure web development can be found at:
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
When deploying applications to production be sure to make backups of both your database and application code first. PCI-DSS requires that you have well defined procedures for testing your code prior to deploying to production and that you have production back-out procedures should you have issues with your deployment.
Configuration Notes
By default, the web services feature of Multifront is secured and not accessible. You should properly configure your webservices directory to ensure that web services are not publicly accessible.
|