14. Security Assessments of Publicly Exposed Gaming Systems
The objective of the requirements in this section is to ensure that Gaming Systems that are publicly exposed (e.g. web applications, etc.) are secure.
14.1 Security Assessments of Publicly Exposed Gaming Systems
14.1.1 Publicly exposed Gaming Systems (e.g. web applications) must be protected with adequate security measures to prevent any integrity or security issues.
14.1.2 New Gaming Systems that are publicly exposed (e.g. web applications) must be assessed for security vulnerabilities. The assessment must include the following, as a minimum:
- Source code analysis using Static Application Security Testing (SAST) tools to identify data entry points, perform data flow analysis, trace user controllable data from entry points, and search the code base for known gaps and software vulnerabilities; analysis of the results to remove false positives; and manual analysis of specific codebase areas to confirm results of the automated tools, and if other identified risks require a manual inspection of the code. The results of this assessment must be included with the submission of the Gaming System.
- Penetration testing through the use of Dynamic Application Security Testing (DAST) tools to identify weaknesses in the Gaming System with both authenticated and unauthenticated scans; analysis of the results to remove false positives; and manual testing to confirm the results from the tools and to identify the impact of the weaknesses. The results of this assessment must be provided after approval and deployment of the Gaming System, but before the Gaming System goes live.
14.1.3 Modifications to publicly exposed Gaming Systems may require assessment per standard 14.1.2 to be performed on the modifications, depending on the complexity and number of changes. These will be assessed on a case-by-case basis.