PCI DSS version 4.0 contains a host of new practices that will become requirements on March 31, 2025. In this talk, we focus on a change that looks — at first glance — to be minor, but in reality could have significant implications for Application Security teams: the requirement to manage all internal vulnerabilities, regardless of criticality.
We’ll focus on how to address open source software (OSS) vulnerabilities, including:
- What it means to “manage vulnerabilities”
- Why OSS presents the greatest risk to compliance with this new requirement
- The security tool problem preventing organizations from addressing OSS risk
- Getting accurate dependency inventories and prioritizing remediation
- Setting up guardrails to ensure developers select safe OSS dependencies
