Compliance

How can Probely help you with Compliance?

browser security

Achieve PCI-DSS Compliance using Probely

If your business transmits, processes or stores credit card information, PCI-DSS compliance is required. Failing to do so, may result in fines and having your merchant account blocked. There are several levels of compliance, depending if you are a merchant or service provider, and how you interact with cardholder data. If you are reading this, you are probably looking for SAQ A-EP or SAQ D compliance (Merchant or Service Provider).

For public-facing web applications, PCI-DSS requires that new threats and vulnerabilities are addressed on an ongoing basis and that those applications are protected against known attacks using an automated application vulnerability scanning tool, like Probely, at least annually and after any changes. Please note that this requirement 6.6 is not achieved using an Approved Scanning Vendor (ASV ) as defined in requirement 11.2. Both are different types of scanners and their purpose is different (and so are requirements 6.6 and 11.2).

Probely provides an easy and effective way to comply with PCI, by automating and integrating scanning into your Development Processes and CI/CD pipelines. Scan reports include a PCI section with all requirements listed below and if they fail or succeed in compliance.

PCI-DSS Requirement checklist

Probely helps you meet the following PCI requirements:

  • 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over public networks
  • 6.5 
    • 6.5.1 Address injection flaws (SQL injection, OS Command injection, XPath, etc)
    • 6.5.4 Address insecure communication flaws
    • 6.5.5 Address improper error handling flaws
    • 6.5.6 Address all “high risk” identified vulnerabilities
    • 6.5.7 Address Cross-site scripting (XSS) vulnerabilities
    • 6.5.8 Address improper access control flaws
    • 6.5.9 Address Cross-site request forgery (CSRF) flaws
    • 6.5.10 Address Broken authentication and session management flaws
  • 6.6 Review web applications with an automated application vulnerability scanning tool after any change

GDPR Security measures and Probely

What needs to be done about GDPR Compliance really depends on how the data is being processed in an organization, and on the organization’s existing security measures. The data protection plan entails deploying safer code, frequent security audits, and testing. Specifically, GDPR Article 32 calls for:

“a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

This is where Probely can be of value for you. Probely will help you deploy safer code, and will provide you with automated continuous security tests. You will also get vulnerability scanning reports, which you can use to spark and encourage an ongoing security dialogue in your company, and showcase your security to auditors.

Probely provides you with vulnerability reports that can act as an evidence of continuous vulnerability testing, and can validate that action has been taken to implement security measures that will search for and mitigate vulnerabilities.

Probely GDPR Checklist

Here are the GDPR Articles related to Vulnerability Assessment, that Probely can help you with:

Article 32 (p.52) - “Security of Processing”

  1. “... shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:”
    • b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Article 39 (p.56) - “Tasks of the data protection office”

  1. The data protection office shall have at least the following tasks:
    • b) "To monitor compliance with this regulation..."

ISO 27001 vulnerability compliance with Probely

Achieving and maintaining ISO 27001 compliance can be a daunting task for any type of business. However, Probely can help you with some of the requirements.

You can use Probely to perform web vulnerability assessments of your web applications, to identify vulnerabilities and get guidance on how to fix them. Probely also includes a Vulnerability Management: Assign, re-test, accept risk and check the history of each vulnerability.

In order to include Probely into your Software Development Life-Cycle and to ensure periodic vulnerability scanning, you can either schedule a recurrent scan (daily, weekly, or monthly) or integrate Probely with your CI/CD tools using our API.

Once you find the vulnerabilities, you will have to prevent their potential exploitation by an attacker (control A 12.6.1 Annex 1). For this, we provide you with some tailored guidance on how to fix the vulnerabilities. That way you will minimize the risk of them being exploited.

Probely’s ISO 27001 compliance reports

Probely has compliance reports built-in, which you can use to showcase the assessment results to your security auditor. ISO 27001 requires you to take security best practices into account and to follow a reference framework.

For Web Applications, the most popular reference is OWASP TOP 10 and you can download a compliance report on Probely.

Achieve HIPAA Compliance using Probely

HIPAA security standards help organizations that deal with patient healthcare records ensure the protection and security of such records. Healthcare organizations can use Probely’s web application vulnerability scanner to execute HIPAA vulnerability scanning. By doing this, you will increase your efforts toward HIPAA compliance.

Using Probely, organizations can automate their security vulnerability scanning (a HIPAA security rule) and fix the vulnerabilities using the guidelines given by Probely, providing their clients with a more secure web app.

In short, Probely can help you, as a technical safeguard (Technical Safeguards § 164.312), with the requirements stated in the Security Rule of Title II.

Health organizations benefit from using Probely by being able to:

  • Scan for over 3000 vulnerabilities including the OWASP Top 10, such as SQL Injections, Cross-site Scripting (XSS) and many more
  • Save time and money by having a quick automated security tool that will help you continuously scan for vulnerabilities and address them in the early stages of your development
  • Provide their patients with secure web applications that can securely store electronic protected health information (ePHI)

Try Probely for free

Get started