PCI DSS compliance: Web application firewalls (WAFs)

PCI DSS compliance: Web application firewalls (WAFs)

TABLE OF CONTENTS
   PCI DSS compliance: The basics
   PCI

    Requires Free Membership to View

    Login

    When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and PCI DSS



  Web application firewalls (WAFs)

The other option merchants have to comply with requirement 6.6 is implementation of a Web application firewall (WAF). The information supplement from the PCI council states "In the context of Requirement 6.6, an 'application firewall' is a Web application firewall (WAF), which is a security policy enforcement point positioned between a Web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components."

Our poll indicates that WAFs are an unpopular choice for SearchSoftwareQuality.com readers looking to comply with requirement 6.6. With only 11% of the vote, WAFs tied "Other" and was beaten by "Don't know."

  • Whatis.com definition: application firewall: This is NOT a network firewall; an application firewall has different duties and features.


  • Tip: The realities of using WAFs for PCI DSS 6.6 compliance: They may still let vulnerabilities in. Surprise! Besides this shocker, Kevin explores the suggestions for implementing WAFs in requirement 6.6 and finds them "pretty reasonable." However, he also outlines a few less obvious ways a WAF may not be a good choice for your company. In addition, Kevin again recommends steps companies should take -- regardless of PCI -- in order to be secure.


  • Article: Web application firewalls critical for application security: In early 2006, Colleen Frye interviewed a number of application security experts about WAFs and how they bolster security. These insights are more important now than ever.


  • Tip: Application firewall tips and tricks: Michael Cobb lays out the ground rules for selecting a WAF, integrating it with your system, and figuring how to make it work. Whitelisting, blacklisting, and auditing instructions are included.


  • Article: Let's talk Web application firewalls (WAFs): This is actually a blog post by noted application security expert Jeremiah Grossman, but it is thorough enough to be considered an article. Grossman is a fan of WAFs but understands their limitations. In "Can WAFs protect against business logic flaws?" Grossman discusses the ability of WAFs to prevent certain business logic attacks while also explaining what WAFs are incapable of preventing. WAFs are a piece, but a valuable piece, of the application security puzzle, he argues.


  • Article: Web application firewall market maturing: This is an older article, but its lessons still apply today to WAFs.

    • Visit our next section on Web application security and the PCI DSS.

    This was first published in July 2008