| Web application firewalls (WAFs)
The other option merchants have to comply with requirement 6.6 is implementation of a Web application firewall (WAF). The information supplement from the PCI council states "In the context of Requirement 6.6, an 'application firewall' is a Web application firewall (WAF), which is a security policy enforcement point positioned between a Web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components."
Our poll indicates that WAFs are an unpopular choice for SearchSoftwareQuality.com readers looking to comply with requirement 6.6. With only 11% of the vote, WAFs tied "Other" and was beaten by "Don't know."
Whatis.com definition: application firewall: This is NOT a network firewall; an application firewall has different duties and features.
Tip: The realities of using WAFs for PCI DSS 6.6 compliance: They may still let vulnerabilities in. Surprise! Besides this shocker, Kevin explores the suggestions for implementing WAFs in requirement 6.6 and finds them "pretty reasonable." However, he also outlines a few less obvious ways a WAF may not be a good choice for your company. In addition, Kevin again recommends steps companies should take -- regardless of PCI -- in order to be secure.
Article: Web application firewalls critical for application security: In early 2006, Colleen Frye interviewed a number of application security experts about WAFs and how they bolster security. These insights are more important now than ever.
Tip: Application firewall tips and tricks: Michael Cobb lays out the ground rules for selecting a WAF, integrating it with your system, and figuring how to make it work. Whitelisting, blacklisting, and auditing instructions are included.
Article: Let's talk Web application firewalls (WAFs): This is actually a blog post by noted application security expert Jeremiah Grossman, but it is thorough enough to be considered an article. Grossman is a fan of WAFs but understands their limitations. In "Can WAFs protect against business logic flaws?" Grossman discusses the ability of WAFs to prevent certain business logic attacks while also explaining what WAFs are incapable of preventing. WAFs are a piece, but a valuable piece, of the application security puzzle, he argues.
Article: Web application firewall market maturing: This is an older article, but its lessons still apply today to WAFs.
Visit our next section on Web application security and the PCI DSS.
Dig deeper on Building security into the SDLC (Software development life cycle)