Home > PCI DSS compliance: Web application firewalls (WAFs)
Learning Guide:
EMAIL THIS

PCI DSS compliance: Web application firewalls (WAFs)

03 Jul 2008 | SearchSoftwareQuality.com

Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

TABLE OF CONTENTS
   PCI DSS compliance: The basics
   PCI DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and PCI DSS



  Web application firewalls (WAFs)

The other option merchants have to comply with requirement 6.6 is implementation of a Web application firewall (WAF). The information supplement from the PCI council states "In the context of Requirement 6.6, an 'application firewall' is a Web application firewall (WAF), which is a security policy enforcement point positioned between a Web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components."

Our poll indicates that WAFs are an unpopular choice for SearchSoftwareQuality.com readers looking to comply with requirement 6.6. With only 11% of the vote, WAFs tied "Other" and was beaten by "Don't know."

  • Whatis.com definition: application firewall: This is NOT a network firewall; an application firewall has different duties and features.


  • Tip: The realities of using WAFs for PCI DSS 6.6 compliance: They may still let vulnerabilities in. Surprise! Besides this shocker, Kevin explores the suggestions for implementing WAFs in requirement 6.6 and finds them "pretty reasonable." However, he also outlines a few less obvious ways a WAF may not be a good choice for your company. In addition, Kevin again recommends steps companies should take -- regardless of PCI -- in order to be secure.


  • Article: Web application firewalls critical for application security: In early 2006, Colleen Frye interviewed a number of application security experts about WAFs and how they bolster security. These insights are more important now than ever.


  • Tip: Application firewall tips and tricks: Michael Cobb lays out the ground rules for selecting a WAF, integrating it with your system, and figuring how to make it work. Whitelisting, blacklisting, and auditing instructions are included.


  • Article: Let's talk Web application firewalls (WAFs): This is actually a blog post by noted application security expert Jeremiah Grossman, but it is thorough enough to be considered an article. Grossman is a fan of WAFs but understands their limitations. In "Can WAFs protect against business logic flaws?" Grossman discusses the ability of WAFs to prevent certain business logic attacks while also explaining what WAFs are incapable of preventing. WAFs are a piece, but a valuable piece, of the application security puzzle, he argues.


  • Article: Web application firewall market maturing: This is an older article, but its lessons still apply today to WAFs.

    • Visit our next section on Web application security and the PCI DSS.

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    Building security into the SDLC (Software development life cycle)
    Problems caused by skipping analysis stage of SDLC
    Inexpensive phase of SDLC to catch and fix bugs
    GatherSpace beefs up cloud-based requirements management
    ALM: Best of breed vs. complete systems
    Software development life cycle phases, iterations, explained step by step
    The role of quality assurance (QA) pros in software security
    Common software security risks and oversights
    Why the quality assurance department should be involved in testing
    How to develop secure applications
    Secure software development practices 'not rocket science'

    Software security testing and techniques
    Web application security best practices: Tips on implementation
    Testing strategies for complex environments
    How to make your software tamperproof
    Ways to approach application performance testing on a tight budget
    How can I tell if my software security has been breached?
    Is online application testing for smartphones different from other software testing?
    Software testers facing six big challenges today, StarWest keynoter says
    Lesser-known free software testing tools testers should try
    Is manually testing a software project for flaws too risky?
    Affordable automated testing tools for securing websites

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary




    Software Quality Testing - Research and White Papers
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts