According to the Verizon PCI Compliance Report, 84% of organizations that suffered a data breach were out of compliance with application-layer security controls (Requirement 6)— compared to an average of only 47% of all organizations assessed by Verizon QSAs in 2013.
This suggests a strong correlation between the likelihood of suffering a data breach and non-compliance with application security.
Our platform assesses applications for compliance with standard controls such as PCI, the OWASP Top 10 and the CWE/SANS Top 25. Policies can easily be customized to support specific audit requirements as well as compliance requirements for SOX, HIPAA and NIST 800-53.
We also provide automated, pre-configured reports and workflows for reducing the cost and complexity of compliance.
Pre-configured PCI reporting
The pre-configured report compares analysis results to the requirements in PCI-DSS sections 6.3.6, 6.5 and 6.6 and PA-DSS Sections 5.1.7 and 5.2.
We also implement the guidance provided in the PCI 3.0 standard regarding evaluating applications against “industry best practices for vulnerability management” such as the OWASP Top 10, CWE/SANS Top 25, CERT Secure Coding and other standards.
Vulnerabilities in third-party components are now covered as part of the OWASP Top 10, and the PCI standard expressly requires that an application be free of any High or Very High Severity flaws.
HIPAA, SOX, GLBA, NIST & MAS
Reports can easily be customized by starting with the pre-configured controls specified in the PCI policy and modifying the rules to support external compliance mandates and internal audit requirements specific to your organization.
Automated workflows with secure audit trails
We provide built-in automated workflows to reduce communication overhead as well as to provide a secure audit trail of your approval processes. For example, you can specify that:
Notifications about policy changes be sent automatically to the team assigned to the application; to any users with the Security Lead role; and to the application Business Owner. You can also send notifications about upcoming scans that are due, and when a flaw will go out of the grace period set in the policy.
Approvals must be obtained for items such as mitigating controls that temporarily remove the need to address the flaw via code-level remediation (e.g., changes to WAF rules, operating system features, network implementation or application design). You can also specify that approval is required for all new scan requests, such as requests from developers or third-party vendors to re-scan their applications; and for new users that self-register via SAML authentication.
Integration with GRC frameworks
Governance, Risk and Compliance (GRC) frameworks are often used to track strategic programs at the corporate level. Our platform integrates with RSA Archer via XML to share critical information such as application security scores; listings of all discovered flaws; and flaw status information (new, open, fixed, or re-opened).
Summary data is also included for third-party assessments, including scores and top-risk categories. Similar integrations can be developed for other GRC systems such as IBM OpenPages through our APIs.