There has been a lot of talk lately about what people perceive to be a problem with the Payment Card Industry (PCI) standard. PCI Council kicked up dust with their recent clarification about section 6.6:
Most of the security folks are peeved by the fact that an application firewall can be used in place of a code review. I agree with the nay-sayers from a purely technical perspective. Application firewalls do not protect you from attacks for which you cannot write good signatures…and there are many, many attacks that fall in this category (authentication, authorization etc, etc). Even for attacks such as SQL Injection and Cross Site Scripting, which the WAP are designed to mitigate, there may be new ways to circumvent the firewall. So, from a technical perspective it is pretty ineffective if an organization is pushing for security.
There lies the big problem. Most organizations do not really care about security. Customer data is just one piece of the puzzle to get their business done. The only reason companies take customer data seriously is because there are laws and the reputation loss. From a business and process perspective, it is just one cog of many. They know there is something called PCI and there are a few requirements to be met. And the PCI Council has given these companies a freebie in the form of web application firewall.
In my view, the whole issue about section 6.6 has to be taken in perspective. If an organization is to pass PCI requirements, they need to satisfy all sections. In other words, the PCI requirements also stipulate a lot of best practices - network segmentation (Req. 1), separation of duties (Req.6.3), good programming practices [OWASP Top 10] (Req.6.5), Regular vulnerability testing (Req.11) that needs to be satisfied. If a company wants to be PCI Compliant, they would ideally look at all of these and, in the process become compliant. Viewed in this light, the issue of web application firewall is a small one.
Save to Browser Favorites
Ask
backflip
blinklist
BlogBookmark
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the 
0 comments ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment