Overview

The Dashboard provides an overview of progress towards 100% compliance, facilitates all PCI DSS 4.0 action items for browser script requirements, and gives you an assessment of your status at a glance.

image.png

From the Dashboard, you can view:

  • The Sensor Heartbeat: This indicates the sensor's status across your domains. If your reports drop drastically, this will update accordingly. If the heartbeat indicates a drop, then you should first confirm your sensor was not removed from the relevant domains or accidentally blocked. If it was not, then contact HUMAN for assistance.
  • The Script Authorization tab: This displays scripts that need your review. Only unauthorized scripts are shown; scripts you've authorized are hidden from this tab, but you can always view them from your Inventory.
  • The HTTP Security Header Authorization tab: This displays HTTP headers that need your review. Only unauthorized HTTP headers are shown; ones that you have authorized are hidden from this tab, but you can always view them from your Inventory.

You can learn about the script and header tabs in the following sections.

Script tab

Each script entry presents important overview information, such as its status and risk level.

View by

Scripts can be presented by the payment page on which they were found or their vendor.
image.png

Script summary

Click on a script to open its summary. The script summary contains additional information about the script, such as a vendor description or dates when the script was first seen.

You can also update certain information about the script from the summary.

  • Show authorization history: Click to display the script's audit log, add notes, or authorize the script.
  • Authorization: Click to authorize and justify the script.
  • Progress status: Click to update the script's status.
  • Ownership contacts: Click to assign your team members as owners or contacts for the script.

Justification

Any script in the payment page inventory must possess written justification as to why it is necessary. Code Defender will require a justification the first time a script is ever Authorized. Justification could be updated at any time, but will very rarely change within a script's lifecycle.

Authorization

Every script running on a payment page must be authorized and any change to a script must be authorized. Therefore, "Authorization" is a central and frequent activity expected by PCI DSS 4.0.
There are three ways to authorize scripts:

  1. Authorizing one script at a time
  2. Authorizing multiple scripts at a time (e.g., by manually multi-selecting multiple scripts, or selecting all scripts by a certain vendor at once)
  3. Automating script authorization

Authorization history

Every noteworthy event in the script's lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and behavioral integrity changes/modification (new risky action detected).
image.png

The shortcut menu

Clicking on the three dots to right of script entries will bring up the shortcut menu.
For further in-depth analysis of all script actions, users can click on "Investigate script" to take it into Code Defender's Analyzer section.
image.png

Progress status

You can update the progress status of a script by clicking the status and selecting:

  • Change progress status: Lets you move the script to a new status, add a note about the change, and share the script with the available integrations. The available statuses are:
    • To be reviewed (under review): Mark the script as needing review.
    • To be removed: Mark the script for removal.
  • Archive script: Archive the script, which hides it from view and excludes it from calculations such as the total number of scripts in your inventory. You cannot archive a script if Code Defender detected it within the last 24 hours. Code Defender automatically moves archived scripts back to the inventory if it detects them on your application again.

Header tab

Each header entry presents important overview information, such as its status and risk level.

View by

Headers can be presented by the payment page on which they were found or the headers themselves.

Header summary

Click on a header to open its summary. The header summary contains additional information about the header, such as its new values or when it was last seen.

You can also update certain information about the header from the summary.

  • Show authorization history: Click to display the header’s audit log and add notes.
  • Progress status: Click to update the header’s status.
  • Authorization: Click to authorize the header.
  • Header values: Manage new header values.

Authorization history

Every noteworthy event in the header’s lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and new values.

Progress status

You can update the progress status of a header by clicking the status and selecting:

  • Change progress status: Lets you move the header to a new status, add a note about the change, and share the header with the available integrations. The available statuses are:
    • To be reviewed (under review): Mark the header as needing review.
    • To be removed: Mark the header for removal.
  • Archive header: Archive the header and all of its values, which hides it from view and excludes it from calculations such as the total number of headers in your inventory. You cannot archive a header if Code Defender detected it within the last 24 hours. Code Defender automatically moves archived headers back to the inventory if it detects them on your application again. See Header values to learn how to archive individual header values instead.

Authorization

Similarly to scripts, every header must be authorized and any change to a header or header value must be authorized.

There are three ways to authorize headers:

  1. Authorizing one header at a time
  2. Authorizing multiple headers at a time
  3. Automating header authorization

Header values

You can view and manage individual header values with the tools available per value:

  • Compare header values: Open a new view to compare the selected new header value with any previously authorized header value.
  • Copy: Copy the header value to your device’s clipboard.
  • More options: Additional tools to manage the header value.
    • Archive header value: Archive the header’s value, which hides it from view and excludes it from calculations. You cannot archive a value if Code Defender detected it within the last 24 hours. Code Defender automatically moves archived values back to the inventory and sends a Modified Header alert if it detects the same one on your application again. See Progress status to learn how to archive headers and all of their values instead.