Overview

The Dashboard provides an overview of progress towards 100% compliance, facilitates all PCI DSS 4.0 action items for browser script requirements, and gives you an assessment of your status at a glance.

image.png

From the Dashboard, you can view:

  • The Sensor Heartbeat: This indicates the sensor's status across your domains. If your reports drop drastically, this will update accordingly. If the heartbeat indicates a drop, then you should first confirm your sensor was not removed from the relevant domains or accidentally blocked. If it was not, then contact HUMAN for assistance.
  • The Script Authorization tab: This displays scripts that need your review. Only unauthorized scripts are shown; scripts you've authorized are hidden from this tab, but you can always view them from your Inventory.
  • The HTTP Security Header Authorization tab: This displays HTTP headers that need your review. Only unauthorized HTTP headers are shown; ones that you have authorized are hidden from this tab, but you can always view them from your Inventory.

You can learn about the script and header tabs in the following sections.

Script tab

Each script entry presents important overview information, such as its status and risk level.

"View by"
Scripts can be presented by the payment page on which they were found or their vendor.
image.png

Script summary
Clicking on a script will open the script summary window, containing additional important information about the script (e.g., vendor description and dates when the script was first). Users can click "Authorization" to authorize and justify the script, the drop-down by the script's status to move to "In progress," or "Show authorization history."
image.png

Justification
Any script in the payment page inventory must possess written justification as to why it is necessary. Code Defender will require a justification the first time a script is ever Authorized. Justification could be updated at any time, but will very rarely change within a script's lifecycle.

Authorization
Every script running on a payment page must be authorized and any change to a script must be authorized. Therefore, "Authorization" is a central and frequent activity expected by PCI DSS 4.0.
There are three ways to authorize scripts:

  1. Authorizing one script at a time
  2. Authorizing multiple scripts at a time (e.g., by manually multi-selecting multiple scripts, or selecting all scripts by a certain vendor at once)
  3. Automating script authorization

Authorization history
Every noteworthy event in the script's lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and behavioral integrity changes/modification (new risky action detected).
image.png

The shortcut menu
Clicking on the three dots to right of script entries will bring up the shortcut menu.
For further in-depth analysis of all script actions, users can click on "Investigate script" to take it into Code Defender's Analyzer section.
image.png

Header tab

HTTP headers can be viewed by the payment page on which they were found, or by the type of security header.
image.png

As with scripts, users can dig into further detail, change authorization status, and view authorization history. In addition, the portal will highlight changes from previously authorized headers (e.g., has an attacker added a malicious domain to the Content Security Policy?)

"Diff" highlighting additions, and striking though removals:
image.png

Authorization history:
image.png