Back

Test the system for buffer overflows.


CONTROL ID
01322
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Verify that processes are in place to ensure that web applications are not vulnerable to buffer overflow. (§ 6.5.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview responsible personnel and examine the software development policies and procedures to verify buffer overflows are addressed by coding techniques, such as validating buffer boundaries and truncating input strings. (Testing Procedures § 6.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the development of web applications are based on secure coding guidelines and prevents common coding vulnerabilities such as insecure direct object references. (§ 6.5.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that processes are in place to ensure that applications are not vulnerable to buffer overflow. (§ 6.5.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that processes are in place to ensure that web applications are not vulnerable to buffer overflow. (§ 6.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include buffer overflows. (PCI DSS Requirements § 6.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Internal object references should not be available to users. (§ 5.2.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do coding techniques address buffer overflow vulnerabilities? (PCI DSS Question 6.5.2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do coding techniques address buffer overflow vulnerabilities? (PCI DSS Question 6.5.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address buffer overflow vulnerabilities? (PCI DSS Question 6.5.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)