Skip to main content

Rapid Application Security

How can developers understand the security risks and translate that into meeting the new PCI Software Security Framework (SSF)?

Download PDF

Speed limits on our freeways exist for a reason. Above certain speeds, the increasing risks of how fast you move rise dramatically compared to the time you can save and safely arrive at your destination. In today’s rapidly developing and changing IT landscape, speed is being demanded and the risks of that speed are rarely understood. Developers are under pressure to meet changing requirements from multiple sources, including configuration management, asset identification, automated pipelines, several different standards/regulations and more. How can developers meet these demands in a way that the corresponding business teams can leverage and meet their critical business objectives?

This paper will endeavor to answer that question with the premise that understanding the risks of rapid development are at the core of answering how to successfully integrate DevOps with a secure and compliant approach. The Payment Card Industry Data Security Standards (PCI DSS) will be used as an example of one of the common standards that developers must translate into different applications with different contextual challenges. How can a developer understand the security risks and translate that into meeting the new PCI Software Security Framework (SSF)? How can security and functionality be orchestrated from a single location in a way that hardware, software, and firmware are all properly developed and maintained?

Security Compass offers SD Elements, a tool that speaks the language of risk to both developers and business teams. The features of SD Elements will be reviewed to see how well they can meet this challenge of needing to go fast and still stay safe on the road to a successful go-to-market strategy.

About the Author

Dan Fritsche, CISSP, is the Founder of Alpine Security Consulting. Dan’s specialty is in security innovation, wherein he helps companies turn security from a hurdle into a strategic investment. Dan started his career with a security-focused role at IBM, where he supported functions like penetration testing, vulnerability scanning, application security, and business intelligence across multiple units during his decade-long tenure. After IBM, he worked at Coalfire where he helped companies improve their posture in application security, encryption, tokenization, and many other security specialties. Dan went on to help Global Payments drive the value and involvement of innovative security approaches as early in the application development life cycles as possible. Dan has held several certifications such as PCI QSA, PA-QSA, P2PE QSA/PA-QSA for at least five to 10 years.

Profile Photo of Dan Fritsche