Home > Software Quality Tips > Application Security Strategies > The realities of using WAFs for PCI DSS 6.6 compliance
Software Quality Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

APPLICATION SECURITY STRATEGIES

The realities of using WAFs for PCI DSS 6.6 compliance


Kevin Beaver, CISSP
06.18.2008
Rating: -5.00- (out of 5)


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


In my previous tip regarding the looming June 30, 2008, deadline for PCI requirement 6.6 compliance, I talked about the good, bad, and ugly of "application code reviews." Well, according to the PCI Security Standards Council, there's another option you can consider for compliance. Throw a Web application firewall (WAF) in front of your Web server and everything's cool. Just like putting a firewall in front of your network keeps everything safe and secure, right? Well, not so much. If only it were that simple.

The considerations for proper implementation of WAFs outlined in the PCI DSS 6.6 Information Supplement are actually pretty reasonable. It talks about the pros and cons of using WAFs and considerations to ensure they work effectively. But there's a dark side to WAFs, especially when using them as your only layer of defense. Here are the things about WAFs you won't hear about but affect your organization -- and ultimately the security of your Web application -- just the same:

The PCI DSS 6.6 Information Supplement states, "Proper implementation of both options would provide the best multi-layered defense." Well, sure, in an ideal world everyone would perform source code analysis, black box testing, and utilize a WAF. I'm all for doing what's right -- at least doing the basics. But the thing many people overlook in the name of compliance and checklist audits is that we don't live and work in an ideal world. Having the resources to be able to master application code reviews and manage a WAF is beyond what many organizations possess.

One other thing: Don't overlook what you


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Application Security Strategies
Fixing four Web 2.0 input validation security mistakes
Social engineering training could disrupt botnet growth
Web security problems: Five ways to stop login weaknesses
Preparing for testing applications in the cloud
The role of quality assurance (QA) pros in software security
Common software security risks and oversights
Using the Firefox Web Developer extension to find security flaws
Web application security testing checklist
How to develop secure applications
Software quality needs to be a continuous process

Software security testing and techniques
Spotting rich Internet application security flaws with WebGoat
Adobe ColdFusion websites being compromised
Attack code targets Microsoft ActiveX zero-day flaw
Fixing four Web 2.0 input validation security mistakes
Commonly-overlooked security flaws in rich Internet applications
Web security problems: Five ways to stop login weaknesses
10 steps to acing Web app security assessments
Hack maliciously to boost your software's security
Software Testing: How to know you're ready to start testing
Software security best practices: Roles developers must play

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


may already have. You may actually have "WAF" capabilities in your existing firewall. I know that Check Point, Juniper and other big-name firewall vendors offer at least basic Web application layer protection as well as some add-on modules that provide pretty in-depth controls. If you have that, use it. It'd be a great add-on without the expense and effort of managing a separate WAF.

In the end, I go back to what I said in my previous tip: The simplest, least expensive, and most reliable way to ensure reasonable Web security is performing automated scans and hands-on manual analysis. Don't drain the ocean. Just focus on the basics. Once you get your periodic vulnerability testing processes in place, you can make improvements over time with source code analysis. Then, as a final layer of defense -- when resources permit -- you may consider installing a Web application firewall. No doubt it will serve you well long term, but that's not what most people need to focus on at the moment.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog

Rate this Tip
To rate tips, you must be a member of SearchSoftwareQuality.com.
Register now to start rating these tips. Log in if you are already a member.


Submit a Tip




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Software Design & Testing - Project Management
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts