Skip to main content

πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.

  • ID: /frameworks/pci-dss-v4.0/06/02/04

Stats​

not available

Description​

including but not limited to the following:

  • Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
  • Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
  • Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
  • Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
  • Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
  • Attacks via any β€œhigh-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.

Similar​

  • Sections
    • /frameworks/pci-dss-v4.0.1/06/02/04
    • /frameworks/pci-dss-v3.2.1/06/05/01
    • /frameworks/pci-dss-v3.2.1/06/05/02
    • /frameworks/pci-dss-v3.2.1/06/05/03
    • /frameworks/pci-dss-v3.2.1/06/05/04
    • /frameworks/pci-dss-v3.2.1/06/05/05
    • /frameworks/pci-dss-v3.2.1/06/05/06
    • /frameworks/pci-dss-v3.2.1/06/05/07
    • /frameworks/pci-dss-v3.2.1/06/05/08
    • /frameworks/pci-dss-v3.2.1/06/05/09
    • /frameworks/pci-dss-v3.2.1/06/05/10
  • Internal
    • ID: dec-c-83bf5577

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.2 Buffer overflows.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.3 Insecure cryptographic storage.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.4 Insecure communications.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.5 Improper error handling.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.6 All β€œhigh risk” vulnerabilities identified in the vulnerability identification process.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.7 Cross-site scripting (XSS).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.8 Improper access control.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.9 Cross-site request forgery (CSRF).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.10 Broken authentication and session management.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.2 Buffer overflows.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.3 Insecure cryptographic storage.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.4 Insecure communications.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.5 Improper error handling.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.6 All β€œhigh risk” vulnerabilities identified in the vulnerability identification process.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.7 Cross-site scripting (XSS).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.8 Improper access control.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.9 Cross-site request forgery (CSRF).5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.5.10 Broken authentication and session management.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.5no data

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (5)​

PolicyLogic CountFlagsCompliance
πŸ›‘οΈ AWS ECR Repository Manual Scanning is enabled🟒1🟒 x6no data
πŸ›‘οΈ AWS ELB Application Load Balancer is not configured to drop invalid HTTP headers🟒1🟒 x6no data
πŸ›‘οΈ AWS ELB Load Balancer is not configured with defensive or strictest desync mitigation mode🟒1🟒 x6no data
πŸ›‘οΈ AWS Inspector Lambda Code Scanning is not enabled🟒1🟒 x6no data
πŸ›‘οΈ AWS Inspector Lambda Standard Scanning is not enabled🟒1🟒 x6no data