As compliance managers, we often find ourselves in a struggle. Our responsibility is to uphold compliance standards but in order to achieve this, we need to “sell” the concept to the relevant stakeholders, inter alia the business teams and R&D. We’re put in the position of justifying required changes and processes and are thus mistakenly perceived as business “stoppers” and not enablers. Additionally, compliance is not confined to upholding, but also involves monitoring, evaluating and remediating.
On top of that, the compliance world is getting more and more complex, with new regulations and guidelines that need to be assimilated frequently into the organization.
PCI SSC sets a strict security framework
In January 2019, the Payment Card Industry Security Standards Council (PCI SSC) released a new security framework, targeted at software companies developing payment applications. This new framework, among other things, discussed the case in which open source software components are included in software development (which, let’s face it, we can safely conclude applies to all software development).
Many requirements are stated in this framework, with the main ones requiring you to:
- Manage an inventory of the open source components used in your software.
- Establish a mature process for analyzing and mitigating the use of open source components with known vulnerabilities.
- Monitor vulnerabilities in open source components in your software to alert when new vulnerabilities are identified; Prepare an appropriate and predefined patching strategy for the open source components.
- Use tools that secure and manage the open source components in your applications.
So all the above leads to how can we facilitate this process from the compliance side? How can we maintain compliance with minimum effort?
Xray comes to the rescue!
Fear not, this is where JFrog comes to the rescue. All you need to do is to easily integrate JFrog Xray into your CI/CD cycle.
What is Xray?
Xray is a universal recursive binary analysis solution that natively integrates with JFrog Artifactory to analyze software components and reveal any vulnerabilities at every stage of the software development lifecycle. It now comes with VulnDB, the industry’s most timely and comprehensive security vulnerability intelligence database that is constantly updated with new vulnerability data. Xray also has configurable policies, which allow you to define security and license compliance behavior specifications. In simple words, it’s a set of rules, which can be setup to define a license/security criteria, with a corresponding set of automatic actions according to your needs.
JFrog Xray meets all your PCI SCC requirements
By using Xray, you’re empowered to:
- Identify the vulnerabilities and their origin during the development process, and consequently manage an inventory of the open-source components
- Use the policies to monitor for vulnerabilities and establish a process for the use of the vulnerabilities
- Evaluate if the process is efficient and if the risk is managed to an acceptable level
Note: Readers should advise their Legal Counsel to confirm compliance with this framework.