PCI 3.0 Motivates Organizations to Train Developers to Write more Secure Code

...Application Security Professionals Rejoice! As we charge into another holiday season here in the States, the most recent version of the Payment Card Industry Data Security Standard (PCI DSS) has been released. The changes incorporated into Version 3.0 were driven by member feedback that recognized that today’s software developers are sorely lacking knowledge of secure coding best practices.  Many of these changes within Version 3.0 will need to be implemented before the beginning of 2015…and while that sounds like a long time from now, it’s only thirteen months away!! It’s no surprise that one of the drivers for change listed within Version 3.0 is the lack of security education and security awareness among software developers, architects, and testers within the industry. Requirement 6.5a now states: “Obtain and review software development processes. Verify that processes require training in secure coding techniques for developers, based on industry best practices and guidance.” Too often, management has assumed that their software development teams have knowledge of and are implementing secure software development best practices.  This has been a very self-destructive assumption. A recent study of six hundred application developers tested their application security knowledge and results were as follows: “Quizzed on 15 questions, less than a third of the respondents (27 percent) accurately answered more than 70% of the test. The average score on the quiz was 59%. Developers with more than seven years of experience fared no better than those with fewer than three years' experience.” PCI DSS Version 3.0 Requirement 6.5a now pushes management to educate their developers if they wish to remain PCI compliant. This is the type of mandate long needed within an industry where developers are often pushed to focus on speed and functionality.  Let’s hope that this requirement results in less of our personal data being stolen by the bad guys.