💼 6.5 Address common coding vulnerabilities in software-development processes.

• ID: /frameworks/pci-dss-v3.2.1/06/05

Description

As follows:

• Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
• Develop applications based on secure coding guidelines.

The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASPGuide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

Similar

• Sections
  • /frameworks/pci-dss-v4.0/06/02/02
• Internal
  • ID: dec-c-61590095

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0 → 💼 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months.					no data

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0 → 💼 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months.					no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.			5		no data
💼 6.5.2 Buffer overflows.			5		no data
💼 6.5.3 Insecure cryptographic storage.			5		no data
💼 6.5.4 Insecure communications.			5		no data
💼 6.5.5 Improper error handling.			5		no data
💼 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process.			5		no data
💼 6.5.7 Cross-site scripting (XSS).			5		no data
💼 6.5.8 Improper access control.			5		no data
💼 6.5.9 Cross-site request forgery (CSRF).			5		no data
💼 6.5.10 Broken authentication and session management.			5		no data