Managing Open Source Vulnerabilities for PCI DSS Compliance

PCI DSS version 4.0 contains a host of new practices that will become requirements on March 31, 2025. In this talk, we focus on a change that looks — at first glance — to be minor, but in reality could have significant implications for Application Security teams: the requirement to manage all internal vulnerabilities, regardless of criticality.

We’ll focus on how to address open source software (OSS) vulnerabilities, including:

• What it means to “manage vulnerabilities”
• Why OSS presents the greatest risk to compliance with this new requirement
• The security tool problem preventing organizations from addressing OSS risk
• Getting accurate dependency inventories and prioritizing remediation
• Setting up guardrails to ensure developers select safe OSS dependencies

ENTRY
Enter from the door on Broadway and take the elevator to the 11th floor.

SCHEDULE
Doors open at 5:30. The talk will begin about 6pm.

NO ENTRY AFTER 6:15 PM
The outer doors auto-lock at 6pm. We will station someone at the door to let people in until 6:15. It will not be possible to enter the building after 6:15.

CONTACT INFORMATION REQUIRED TO ATTEND
For liability reasons, the building owner requires us collect names and contact info for each person in the building after normal business hours. You will have a choice of signing in with a phone and a QR code or on paper, but we will have to collect this info from all attendees. (If this requirement will prevent you from attending, please let us know. We can't change the rules for this venue, but we can take your feedback into account when we choose venues.)

ACKNOWLEDGEMENTS

• Our host this month is NedSpace, a co-working space in downtown Portland.
• Our sponsor this month is Endor Labs, who will be providing food (as well as the speaker!)