Q

PCI DSS compliance: WAF, code review or both?

Complying with PCI DSS requirement 6.6 means installing a Web application firewall or conducting a code review. Application security expert Caleb Sima explains which option is best and how to get the most out of your app sec program.

Which is better for PCI compliance -- WAFs or code review? I've been reading about it and am confused. We are a relatively small company.

This all depends on how you view PCI compliance. If you view it from "check the box and be done" viewpoint which

many companies do but I highly disagree with then a Web application firewall is suitable for PCI compliance. It's easy to install -- set in watch mode and check the box and move on. If you actually care about security and doing what I would call the "right thing," then in the best setup both WAFs and code review are the answer.

Code review is by far the most comprehensive solution, but is also the most tedious and difficult to apply. Solving the problem at the code level solves the issue at its core. Vulnerabilities are really code defects with a higher impact. Solve these issues like you do with defects and your application will become more functional and secure.

What I recommend for WAFs is that they are a great example of "defense in depth." WAFs usually work very well for small websites that are static. However, they start running into problems when you're dealing with large, complex, changing Web applications that run a lot of dynamic code (Web 2.0 or 3.0 -- whatever it is).

If your code is secure then applying a WAF on the front is a nice boundary of protection that helps battle the majority of simple Web hacks. And since you also fixed your vulnerabilities in your code...if the hacker finds a way past that WAF they run right into a dead end.

PCI DSS compliance and application security:
The realities of using WAFs for PCI DSS 6.6 compliance

The realities of PCI DSS 6.6 application code reviews

Secure software measure: Their strengths and limitations

So, it's hard for me to tell you what is best as I don't know enough about your company. I will assume that small is 50-100 people and since you are worried about PCI you must be running a website that accepts credit card numbers. If this is the case my recommendation is to do a few things:

  1. Identify where your risks are. Knowing where your problems are is top priority. Use a product like WebInspect or a source code analysis tool such as those from Fortify or Ounce.


  2. Measure out where your top three critical risks are. Figure out how best to remediate these (code, configuration, WAF) and implement ASAP.


  3. Implement a WAF (get the checkbox) and have it start protecting...


  4. Start working with your development organization to figure out a way to implement security throughout the software development lifecycle (DO IT EARLY! While you are small). This does not have to be that complicated. Make it simple for them at first. For example, policy development rule number one is "You must validate all input with a whitelist." Leave it at that and get them used to the new rules.


  5. Start assessing your Web app on a regular basis so that you can see if all your hard work is actually paying off. Do you see vulnerability counts dropping over time? If not, you have more work to do.

This may sound like a lot, but remember that the Web app is your front door and this is where all the risk is these days. Network security is the 90's. The Web app is today.

This was first published in July 2008

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close