💼 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.

Contextual name: 💼 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.
ID: /frameworks/pci-dss-v4.0/06/02/04
Located in: 💼 6.2 Bespoke and custom software are developed securely.

Description

including but not limited to the following:

Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PCI DSS v3.2.1 → 💼 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
💼 PCI DSS v3.2.1 → 💼 6.5.2 Buffer overflows.
💼 PCI DSS v3.2.1 → 💼 6.5.3 Insecure cryptographic storage.
💼 PCI DSS v3.2.1 → 💼 6.5.4 Insecure communications.
💼 PCI DSS v3.2.1 → 💼 6.5.5 Improper error handling.
💼 PCI DSS v3.2.1 → 💼 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process.
💼 PCI DSS v3.2.1 → 💼 6.5.7 Cross-site scripting (XSS).
💼 PCI DSS v3.2.1 → 💼 6.5.8 Improper access control.
💼 PCI DSS v3.2.1 → 💼 6.5.9 Cross-site request forgery (CSRF).
💼 PCI DSS v3.2.1 → 💼 6.5.10 Broken authentication and session management.
💼 PCI DSS v4.0.1 → 💼 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PCI DSS v3.2.1 → 💼 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
💼 PCI DSS v3.2.1 → 💼 6.5.2 Buffer overflows.
💼 PCI DSS v3.2.1 → 💼 6.5.3 Insecure cryptographic storage.
💼 PCI DSS v3.2.1 → 💼 6.5.4 Insecure communications.
💼 PCI DSS v3.2.1 → 💼 6.5.5 Improper error handling.
💼 PCI DSS v3.2.1 → 💼 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process.
💼 PCI DSS v3.2.1 → 💼 6.5.7 Cross-site scripting (XSS).
💼 PCI DSS v3.2.1 → 💼 6.5.8 Improper access control.
💼 PCI DSS v3.2.1 → 💼 6.5.9 Cross-site request forgery (CSRF).
💼 PCI DSS v3.2.1 → 💼 6.5.10 Broken authentication and session management.
💼 PCI DSS v4.0.1 → 💼 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.

Section	Sub Sections	Internal Rules	Policies	Flags