News and Notes from the Makers of Nexus | Sonatype Blog

Hygiene for open source software is now a PCI requirement

Written by Matt Howard | February 19, 2019

As we said last year, the software industry is failing to protect the public from data theft and misuse; motivating government officials, associations and third-party standards groups to step in and put policies and regulations into place.

One such organization who has long been working to help make electronic payments safer and more secure is the PCI Security Standards Council. Last month, the association introduced an important new software security standard entitled PCI Secure Software Standards and the PCI Secure Software Lifecycle (Secure SLC) Standard.

What exactly does the new standard mean? Why should anyone care?

The new standard requires organizations to govern their use of open source software, and it states that any application utilized as part of the payment process, must be secure by design.

Here at Sonatype, we know the incredible power of open source software development when it is done within a properly governed environment. We also understand the significant risks of open source software development when it is not properly governed. Furthermore, we know that with proper governance, cyber attacks targeting open source vulnerabilities are easily prevented.

PCI's new Secure SLC outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.

Let me break down exactly what PCI says when it comes to open source governance and managing the software supply chain.

It notes that threats to the software and weaknesses within its design must be continuously identified and assessed. Specifically, when it comes to the use of open source components and third-party libraries organizations are responsible for ensuring they, as well as any of their vendors, have:

  1. An up-to-date inventory of open source components utilized in the software.

  2. A process for identifying known vulnerabilities within open source components.

  3. 360-degree monitoring of open source components throughout the SDLC.

  4. A policy and process to immediately remediate vulnerabilities as they become known.

To effectively utilize open source components at scale, organizations must generate a software bill of materials (SBOM) so they can easily track and trace the location of every single component embedded within their production software applications.

Indeed, having a SBOM is the only way to immediately assess / remediate exposure every time new open source vulnerabilities are publicly disclosed -- and, from what I can tell, it's a very straight forward way to comply with the new PCI standard.

So what next? Try our free Sonatype Vulnerability Scanner to see for yourself how easy it is to comply with PCI's new Secure SLC standard.