PCI’s new Secure Software Lifecycle (SLC) assessment standard has been released. This new Secure SLC standard, released alongside the Software Security Framework (SSF) that we’ll talk about in a separate blog, provides a framework for assessing how payment software vendors develop and maintain secure payment software. Similar to the current Merchant and Service Provider PCI assessment process, this new standard just provides a standardized method for assessing and approving the software development processes for payment software creators. The assessment must be carried out by a Secure SLC Assessor (similar to a Qualified Security Assessor) that works for a Software Security Assessor Company and will result in a Secure SLC Report on Compliance (RoC).
It is currently unclear what benefits certification will provide to payment software vendors, besides providing third-party validation that the company is following secure programming practices in its development efforts. There does not appear to be a subsequent requirement coming at this time which would mandate payment software companies get this type of assessment on an annual basis. Additionally, as this requirement standard and assessment designation is brand new, it remains to be seen how quickly organizations will look to become qualified as assessors or look to have these types of assessments performed, especially as the benefits aren’t clear at this time.
If you’re considering having an assessment performed or even becoming qualified to perform these types of assessments, the Secure SLC standard covers the following domains of knowledge. This means that assessors have to possess from 1 to 3 years experience in each of these domains and that organizations should expect an assessment to dive into each category.
- Software/Systems Design
- Programming/Software Development
- Software/Systems Testing
- Security Risk Assessment
- System/Software Security Controls Selection
- Security Architecture
- Systems/Software Penetration Testing
- Threat and Vulnerability Detection and Management
- Incident Detection and Response
- Cryptography and Key Management
If you’re thinking about having a Secure SLC assessment performed or if you want to discuss the benefits/process, please reach out and we would love to discuss!