Compliance
How can Probely help you achieve compliance with security certifications?
Achieve PCI-DSS Compliance Using Probely’s Automated Scanner
If your organization stores, processes or transmits cardholder data, your organization must comply with the Payment Card Industry Data Security Standard (PCI-DSS). Non-compliance may result in fines and having your merchant account blocked. There are varying levels of compliance, depending on what type of provider you are and how you interact with cardholder data. If you’re reading this, you’re probably looking for SAQ A-EP or SAQ D compliance (Merchant or Service Provider).
The PCI-DSS stipulates that vendors of public-facing web applications regularly address new threats and vulnerabilities to protect them from known attacks. Two methods are suggested: using manual or automated web application vulnerability scanning tools or methods at least annually and after any changes in the application, or installing an automated solution that assesses all targets. The goal is to detect security gaps and prevent web-based attacks against all public-facing web applications. Please note that Requirement 6.6 is not achieved using an Approved Scanning Vendor (ASV) as defined in Requirement 11.2. This is a different type of scanner with a different purpose (and so are requirements 6.6 and 11.2).
Probely provides an easy and effective way to comply with PCI-DSS, by automating and integrating scanning into your development processes and CI/CD pipelines. Scan reports include a PCI section with all requirements listed below and whether the target has failed or succeeded. Alternatively, you can produce a PCI-DSS Compliance Report.
PCI-DSS Requirement checklist
Probely helps you meet the following PCI requirements:
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over public networks
6.2 Ensure that all system components have the latest security patches installed
6.5
6.5.1 Address injection flaws (SQL injection, OS Command injection, XPath, etc)
6.5.4 Address insecure communication flaws
6.5.5 Address improper error handling flaws
6.5.6 Address all “high risk” identified vulnerabilities
6.5.7 Address Cross-site scripting (XSS) vulnerabilities
6.5.8 Address improper access control flaws
6.5.9 Address Cross-site request forgery (CSRF) flaws
6.5.10 Address Broken authentication and session management flaws
6.6 Review public-facing web applications via automated application vulnerability scanning tools after any change and at least annually.
Meet the GDPR for Secure Processing and Regular Testing
If you collect, process, store, analyze or share personal data of European Union (EU) citizens or clients, your organization must comply with the Generation Data Protection Regulation (GDPR). What needs to be done depends on how the data is processed and your existing security measures. For web application and API vendors, it entails deploying safer code, frequent security audits and regular security testing. Non-compliance can result in heavy fines and other penalties.
Specifically, GDPR Article 32 calls for:
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Probely helps you deploy safer web applications and APIs and run continuous, automated security tests. Testing is accompanied by vulnerability scanning reports, which showcase your security to auditors, help you mitigate vulnerabilities, and encourage an ongoing security dialog in your company.
GDPR Requirements Checklist
Here are the GDPR Articles related to Vulnerability Assessment, that Probely can help you with:
Article 32 (p.52) - “Security of Processing”
- “… shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:”
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Article 39 (p.56) - “Tasks of the data protection office”
- The data protection office shall have at least the following tasks:
- “To monitor compliance with this regulation…”
- “To monitor compliance with this regulation…”
Achieve ISO 27001 Compliance With Probely’s Built-in Risk Assessment & Reports
If your organization is planning to comply with ISO27001, you must write an Information Security Management System (ISMS). ISO27001 provides the standard for the specification for an ISMS. It should be concerned with the risk management of people, processes and technology. In terms of information security, it should demonstrate how you defend against external attacks, as well as internal threats such as human error that can lead to accidental breaches. There are three key aspects to an ISMS: confidentiality, integrity, availability. ISO27001 also helps you work toward compliance with GDPR and the Network and Information Systems Regulations (NIS).
Annex A 12.6.1 encourages organizations to ensure they develop a “robust system capable of preventing breaches”.
Probely enables you to perform web application and API vulnerability assessments, to identify vulnerabilities and get guidance on how to fix them. Probely also includes a vulnerability management capability, meaning you can assign, re-test, accept risks and check the history of each vulnerability. You can either schedule a periodic scan or integrate Probely with your CI/CD tools using our API, in order to include it into your SDLC.
Once you find the vulnerabilities, you can minimize the risk and prevent their potential exploitation by an attacker (control A 12.6.1 Annex 1) using Probely’s tailored guidance on how to fix them.
Probely’s ISO 27001 Compliance Reports
Showcase your web application and API security assessment results to your security auditor using our built-in compliance reports. For example, ISO 27001 requires you to take security best practices into account and to follow a reference framework. For web applications, the most popular reference is OWASP TOP 10. Probely allows you to download an OWASP Top 10 Compliance report.
Achieve HIPAA Compliance using Probely
HIPAA security standards help organizations that deal with patient healthcare records ensure the protection and security of such records. Healthcare organizations can use Probely’s web application vulnerability scanner to execute HIPAA vulnerability scanning. By doing this, you will increase your efforts toward HIPAA compliance.
Using Probely, organizations can automate their security vulnerability scanning (a HIPAA security rule) and fix the vulnerabilities using the guidelines given by Probely, providing their clients with a more secure web app.
In short, Probely can help you, as a technical safeguard (Technical Safeguards § 164.312), with the requirements stated in the Security Rule of Title II.
Health organizations benefit from using Probely by being able to:
- Scan for over 3000 vulnerabilities including the OWASP Top 10, such as SQL Injections, Cross-site Scripting (XSS) and many more
- Save time and money by having a quick automated security tool that will help you continuously scan for vulnerabilities and address them in the early stages of your development
- Provide their patients with secure web applications that can securely store electronic protected health information (ePHI)