"The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data".
While this is aimed at applications which are used to process payment card information, it can also be used as a general standard for application security. If you are involved in application security, you should have a look at the PA DSS standard because you may get some useful tips from it.
The standard contains 14 requirements. While some of these are specific to payment cards, most of the requirements can apply to general application security. In the requirement simply replace "payment application" by "application" and cardholder data or PAN by "sensitive data" and the contents can apply to any application. The application is the software application that you are developing and "sensitive data" is any sensitive data that your application may be processing e.g. personal information. The phrase "software vendor" can be replaced by software developer - essentially the team that is developing your application.
What is the best way to use the standard for general application security? When designing your application, go down through each of the requirements in the PA-DSS documents and ask the following types of questions.
- Does this requirement potentially apply to my application?
- What is the risk of not implementing this requirement in my application?
Alternatively, if you have a secure development program within your organization, go down through the PA-DSS, perform a gap analysis and see if there are tasks which you should incorporate into your security program.
For example, requirement 5 covers the elements of a secure development program. This should really be the first requirement. Are there sections in requirement 5 which you can incorporate into your program? Requirement 4 covers application audit trails. In particular, it includes the types of information that should be stored in the audit log itself. Audit requirements are often not included in general application security requirements. However this is one area which can be expensive to retrofit but relatively cheap to incorporate if it is included from the beginning of the development.
Download and read the PA-DSS standard itself. Each requirement consists of a number of different subsections. There are 3 columns. Column 1 gives the requirement itself. Column 2 describes the testing procedure that that an auditor or tester would follow to see if the requirement has been implemented correctly. Column 3 gives general guidance. In reviewing the standard, you should concentrate on columns 1 and 3.
The following sections give a very brief overview of each of the requirements. However you should download and read the actual standard.