Lab 9
1. What are some common risks, and vulnerabilities commonly found in the System/Application Domain that must be mitigated with proper security countermeasures?
Unauthorized access to data centers, computer rooms and wiring closets, servers must be shut down occasionally for maintenance causing network downtime, data can be easily lost or corrupt and recovering critical business functions may take too long to be useful.
2. If your company makes software to accept credit card payments, what standard would you use to measure and audit your software security?
You must adhere to the PCI Data Security Standard Compliance requirements.
3. Which 3 PCI requirements are most relevant to the systems/application domain?
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
4. Your production system is regularly back-up, and some of the data is used for testing and development for a new application interface. Is this in compliance with PCI DSS?
No, because if the test environment is not secure then its not in compliance.
Yes, if the test and production environment has same level of security
5. Why is it a risk to use production data for development?
Because if the information is not tested properly during the testing phase then its possibility that the information is not skewed. And also if the environment is not safe then there can be some compliance issues.
6. What are some options according to PCI DSS to protect external facing web applications from known attacks?
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
Installing an application layer firewall in front of Web-facing applications.
7. In order to perform a PCI DSS compliance audit on your e-commerce website, what should you incorporate into Requirement #6 regarding “Develop and Maintain Secure
Unauthorized access to data centers, computer rooms and wiring closets, servers must be shut down occasionally for maintenance causing network downtime, data can be easily lost or corrupt and recovering critical business functions may take too long to be useful.
2. If your company makes software to accept credit card payments, what standard would you use to measure and audit your software security?
You must adhere to the PCI Data Security Standard Compliance requirements.
3. Which 3 PCI requirements are most relevant to the systems/application domain?
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
4. Your production system is regularly back-up, and some of the data is used for testing and development for a new application interface. Is this in compliance with PCI DSS?
No, because if the test environment is not secure then its not in compliance.
Yes, if the test and production environment has same level of security
5. Why is it a risk to use production data for development?
Because if the information is not tested properly during the testing phase then its possibility that the information is not skewed. And also if the environment is not safe then there can be some compliance issues.
6. What are some options according to PCI DSS to protect external facing web applications from known attacks?
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
Installing an application layer firewall in front of Web-facing applications.
7. In order to perform a PCI DSS compliance audit on your e-commerce website, what should you incorporate into Requirement #6 regarding “Develop and Maintain Secure