Payment Card Industry (PCI) – Data Security Standard is standard set based on a consensus based process led by 5 major credit card companies. It is not a government enforced standard and compliance is enforced by the credit companies.
Non-compliance results in higher fees and severe fines in the event of breach. All merchants and service providers collecting and processing credit card transactions are required to comply with the PCI-DSS. Version 1.2 of the standard was released in October 2008.
Section 6.6 of the PCI-DSS requires that for all public-facing applications, new threats and vulnerabilities should be addressed on an on-going basis and ensure that the applications are protected against know attacks.
Compliance with the above can be achieved either through:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
• Installing a web-application firewall in front of public-facing web applications
This method of compliance has come in for some criticism as there is really no alternative to a Web Application Firewall as this is the only way the requirement of ongoing protection can be met.
Web Application Firewall (WAF)
The Web Application Firewall is a security device deployed alongside the application to protect the application by inspecting all incoming and outgoing traffic. A single firewall can work with multiple applications. The WAF is operated by the security team and can be adapted quickly to detect new attack techniques. Adding rules and patterns is a simple process and can be tested before being deployed to protect the live application. A WAF protects against almost any type of application level attacks and can provide ongoing application security.
Code Review and Vulnerability Assessment
As required by the Standard a manual review of code to detect vulnerabilities in the application should be carried out atleast annually. Alternative automated vulnerability assessment tools may also be used. However there are some very serious limitations in using either of these methods as a substitute for WAF.
Annual review of code does not address the threats faced by a changing landscape, vulnerabilities will not be addressed in time to prevent attacks. Assuming that a code review was to be carried out more frequently, the process is extremely time-consuming not to mention expensive as this will require a lot resources. The more complex the application, the more expensive the review.
Automated scanners can be updated very frequently with new attack techniques. If used frequently they can provide real value. However, automated scanners are capable of detecting only technical vulnerabilities and are limited in their scope to areas of the application that are easily accessible without going through too many forms. Scanning / pen-testing a production environment may prove dangerous (e.g. trying to exploit a potential a DoS vulnerability). On the other hand, scanning a test environment may not necessarily indicate the actual status of the production environment.
Summary and Recommendations
PCI requirement 6.6 provide a choice between WAF and an application vulnerability assessment process. The nature of the requirement is to provide ongoing protection for a deployed application against a changing threatscape. It is evident that the only solution that truly captures the nature of the requirement is web application firewall