An online store as a web application is protected by automated technical solutions that detect and prevent web-based attacks. As a security professional, you are hired to help them understand the Payment Card Industry Data Security Standard (PCI DSS) requirements and best practices. Which of the following is not true?
A. Web application assessments shall be conducted at least annually and after any changes.
B. A web application firewall is typically implemented in front of public-facing web applications.
C. Testing improper access control such as insecure direct object references must apply to all applications.
D. SQL injection is the most concern among injection flaws such as OS Command, LDAP, and XPath injection.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Testing improper access control such as insecure direct object references must apply to all applications.
Entities process credit card data have to comply with the requirements of PCI-DSS. PCI-DSS has general requirements applied to all applications and specific requirements imposed upon web applications and application interfaces. Improper access control belongs to the requirements of web applications and application interfaces, while SQL injection, particularly specified in PCI-DSS, applies to all applications.
The following diagrams are excerpts from PCI-DSS V3.2.1.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
在線商店作為Web應用程序受到自動技術解決方案的保護，該技術解決方案可以檢測和阻止基於Web的攻擊。 作為安全專家，您被雇用來幫助他們了解支付卡行業數據安全標準（PCI DSS）的要求和最佳實踐。 以下哪一項是不正確的？
D. SQL注入是注入缺陷(例如OS Command，LDAP和XPath注入)中最受關注的問題。