Remember that old PCI DSS 6.6 dilemma - the one in which everyone and every company had a say - whether to perform a Code Review or deploy a Web Application Firewall (WAF)? Not only do I set my stance as rooting for the WAF, I reach further by saying that such a dilemma is a false one, for different reasons, the first of which is that the WAF provides real-time defense at virtually zero response time.
The PCI Security Standards Council tried to calm the tones by publishing a detailed clarification regarding this requirement. To summarize, the Code Review option may be enforced by applying at least one of four specified measures to obtain minimum level security. One of these measures is stated as "Proper use of automated web application security vulnerability assessment (scanning) tools".
And yet, I still have a problem with the code review option. Security holes in the source code are not always found, even when using a scanning tool and thus do not provide the minimal defense as specified in Requirement 6. Take for example the recent findings of XSS flaws found in multiple websites. These aren't just passive websites, but e-commerce websites, engaging in trade activity, where credit cards details are transferred, and which must comply with PCI. To further point the shortcoming of the code review option, we read that these sites earned McAfee's "Hacker Safe" logo. This basically means that McAfee, a well-established security assessment company, performed a code review (scanning) and certified the site as being PCI compliant. I certainly do not doubt the professionalism of McAfee - bugs are an inherent part of the development cycle and it is impossible to create a completely secure environment.
It is precisely for this reason why a WAF should be deployed in order to prevent the attacker from exploiting the application's vulnerability.
Leave a comment