PCI DSS compliance: Web application firewalls (WAFs)

Web application firewalls (WAFs) are one option for those seeking compliance with requirement 6.6 of the PCI DSS. The benefits, limitations and proper implementation of WAFs are discussed by security experts in this section.

   PCI DSS compliance: The basics
   PCI DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and PCI DSS

  Web application firewalls (WAFs)

The other option merchants have to comply with requirement 6.6 is implementation of a Web application firewall (WAF). The information supplement from the PCI council states "In the context of Requirement 6.6, an 'application firewall' is a Web application firewall (WAF), which is a security policy enforcement point positioned between a Web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components."

Our poll indicates that WAFs are an unpopular choice for SearchSoftwareQuality.com readers looking to comply with requirement 6.6. With only 11% of the vote, WAFs tied "Other" and was beaten by "Don't know."

  • Whatis.com definition: application firewall: This is NOT a network firewall; an application firewall has different duties and features.

  • Tip: The realities of using WAFs for PCI DSS 6.6 compliance: They may still let vulnerabilities in. Surprise! Besides this shocker, Kevin explores the suggestions for implementing WAFs in requirement 6.6 and finds them "pretty reasonable." However, he also outlines a few less obvious ways a WAF may not be a good choice for your company. In addition, Kevin again recommends steps companies should take -- regardless of PCI -- in order to be secure.

  • Tip: Application firewall tips and tricks: Michael Cobb lays out the ground rules for selecting a WAF, integrating it with your system, and figuring how to make it work. Whitelisting, blacklisting, and auditing instructions are included.

  • Article: Let's talk Web application firewalls (WAFs): This is actually a blog post by noted application security expert Jeremiah Grossman, but it is thorough enough to be considered an article. Grossman is a fan of WAFs but understands their limitations. In "Can WAFs protect against business logic flaws?" Grossman discusses the ability of WAFs to prevent certain business logic attacks while also explaining what WAFs are incapable of preventing. WAFs are a piece, but a valuable piece, of the application security puzzle, he argues.

Visit our next section on Web application security and the PCI DSS.

This was first published in July 2008

Dig Deeper on Building security into the SDLC (Software development life cycle)



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: