Requirement 6: Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed via vendor security patches, and all systems should have current software patches to protect against exploitation by employees, external hackers, and viruses. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
The following table lists the specific sub-requirements in Requirement 6 that are addressed by TIBCO LogLogic’s Compliance Suite - PCI Edition.
| Requirement 6 | Develop and maintain secure systems and applications |
|---|---|
| 6.1 | Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. Install relevant security patches within one month of release. |
| 6.2 | Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. Update: v3.0 November 2013. |
| 6.3.3 | Separation of duties between development, test, and production environments |
| 6.4.1 | Follow change control procedures for all system and software configuration changes. The procedures must include the following: Documentation of impact |
| 6.4.2 | Follow change control procedures for all system and software configuration changes. The procedures must include the following: Management sign-off by appropriate parties |
| 6.4.3 | Follow change control procedures for all system and software configuration changes. The procedures must include the following: Testing of operational functionality |
| 6.4.4 | Follow change control procedures for all system and software configuration changes. The procedures must include the following: Back-out procedures |
| 6.7 | Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. |