The realities of using WAFs for PCI DSS 6.6 compliance

In my previous tip regarding the looming June 30, 2008, deadline for PCI requirement 6.6 compliance, I talked about the good, bad, and ugly of "application code reviews." Well, according to the PCI Security Standards Council, there's another option you can consider for compliance. Throw a Web application firewall (WAF) in front of your Web server and everything's cool. Just like putting a firewall in front of your network keeps everything safe and secure, right? Well, not so much. If only it were that simple.

The considerations for proper implementation of WAFs outlined in the PCI DSS 6.6 Information Supplement are actually pretty reasonable. It talks about the pros and cons of using WAFs and considerations to ensure they work effectively. But there's a dark side to WAFs, especially when using them as your only layer of defense. Here are the things about WAFs you won't hear about but affect your organization -- and ultimately the security of your Web application -- just the same:

1. WAFs can be a single point of failure for your Web site/application. What happens when it crashes, it is misconfigured from the start, or it gets reconfigured outside of your change management processes? I once witnessed a situation where a single administrator made an out-of-band firewall change in a large ecommerce firm that took down half of the customer-facing systems. Bad news for business. Adding a WAF to the mix may only complicate already complex systems.

2. WAFs won't protect against application logic flaws. What if an attacker is able to manually crawl through your application in non-standard ways and exploit a weakness? Or if your authentication mechanism, logging, or user provisioning systems aren't up to par, there's very little a WAF is going to be able to protect against. Also, WAFs aren't going to protect against underlying network and operating system-level vulnerabilities -- things that can cause just as much trouble for your system as Layer 7 weaknesses.

3. Installing a WAF and letting it run is a whole different ball game than proactively managing it day in and day out. The latter of which very few administrators have time to do.

4. Certain WAFs may not support SSL/TLS, and therefore they will not be able to protect against attacks carried out via HTTPS. Also consider the internal threat. Your WAF may be configured (or forced) to trust all local traffic. External attacks aren't your only concern.

5. The "positive model" of whitelisting acceptable behavior referred to in the PCI DSS 6.6 Information Supplement may work best, but it's only as good as its configuration. All it takes is one oversight to create a gaping hole. With ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSoftwareQuality.com

   As an existing member of the TechTarget network please activate your SearchSoftwareQuality.com account 

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Application Security Strategies Rich Internet applications security testing checklist The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Software security testing and techniques Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   the complexities of today's Web applications and ecommerce platforms, that's not something I'd want to take on if I didn't have to.

The PCI DSS 6.6 Information Supplement states, "Proper implementation of both options would provide the best multi-layered defense." Well, sure, in an ideal world everyone would perform source code analysis, black box testing, and utilize a WAF. I'm all for doing what's right -- at least doing the basics. But the thing many people overlook in the name of compliance and checklist audits is that we don't live and work in an ideal world. Having the resources to be able to master application code reviews and manage a WAF is beyond what many organizations possess.

One other thing: Don't overlook what you may already have. You may actually have "WAF" capabilities in your existing firewall. I know that Check Point, Juniper and other big-name firewall vendors offer at least basic Web application layer protection as well as some add-on modules that provide pretty in-depth controls. If you have that, use it. It'd be a great add-on without the expense and effort of managing a separate WAF.

In the end, I go back to what I said in my previous tip: The simplest, least expensive, and most reliable way to ensure reasonable Web security is performing automated scans and hands-on manual analysis. Don't drain the ocean. Just focus on the basics. Once you get your periodic vulnerability testing processes in place, you can make improvements over time with source code analysis. Then, as a final layer of defense -- when resources permit -- you may consider installing a Web application firewall. No doubt it will serve you well long term, but that's not what most people need to focus on at the moment.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blogkbeaver@principlelogic.com.