WAF. Defined.
One of the outcomes of the PCI Security Standards Council information supplement for PCI DSS requirement 6.6 that I blogged about last week, is providing a definition of Web Application Firewalls. The definition was made by creating 3 different set of required capabilities:
It is a bold attempt to create a product definition for the market by listing different requirements. Thus far, the industry is based on the Web Application Security Consortium (WAFEC) , that develops the industry standard testing criteria for evaluating the quality of web application firewall solutions.
I was very excited when I examined the list, as a close review of all the requirements reveals that the folks at the PCI Security Standards Council added some very advanced capabilities. Without arguing whether scanners are capable identify the issues that WAF are now required to address. In my opinion, out of the list of 10 recommended capabilities, two capabilities stand out:
But the second requirement is more interesting. It clearly links between application that provide data and web applications. It requires to inspect (and protect) any protocol that is used to deliver data to web applications. In other words, inspecting SQL is now a recommended requirement for Web Application Firewalls!
When you look at the picture below, you can see that this is exactly what we've been talking about in the past 5 years or so. In our very first product announcement in October 2002, Shlomo Kramer stated : "Our vision is simple: Secure the Enterprise Application Sphere... ... from web servers to application servers and databases"
SANS endorsed this approach when they published the SANS top 20 Internet Security Risks of 2007 by stating the same: "It is not sufficient to protect the database alone...all the associated applications need to be secured".
Rich Mogull was talking about it when he wrote about protection of content (SB: data) in business applications "....from your web application stack to internal applications and databases."
And now the PCI Data Security Standards....
It is very rewarding to see how the industry is accepting our very original vision now.
- List of recommended capabilities. Tasks "that a WAF should be able to do"
- More advanced capabilities listed as "additional recommended capabilities for certain environments".
- Even more advanced capabilities listed as "additional considerations"
It is a bold attempt to create a product definition for the market by listing different requirements. Thus far, the industry is based on the Web Application Security Consortium (WAFEC) , that develops the industry standard testing criteria for evaluating the quality of web application firewall solutions.
I was very excited when I examined the list, as a close review of all the requirements reveals that the folks at the PCI Security Standards Council added some very advanced capabilities. Without arguing whether scanners are capable identify the issues that WAF are now required to address. In my opinion, out of the list of 10 recommended capabilities, two capabilities stand out:
- Prevent data leakage--meaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken.
- Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data is not otherwise inspected at another point in the message flow.
But the second requirement is more interesting. It clearly links between application that provide data and web applications. It requires to inspect (and protect) any protocol that is used to deliver data to web applications. In other words, inspecting SQL is now a recommended requirement for Web Application Firewalls!
When you look at the picture below, you can see that this is exactly what we've been talking about in the past 5 years or so. In our very first product announcement in October 2002, Shlomo Kramer stated : "Our vision is simple: Secure the Enterprise Application Sphere... ... from web servers to application servers and databases"
SANS endorsed this approach when they published the SANS top 20 Internet Security Risks of 2007 by stating the same: "It is not sufficient to protect the database alone...all the associated applications need to be secured".
Rich Mogull was talking about it when he wrote about protection of content (SB: data) in business applications "....from your web application stack to internal applications and databases."
And now the PCI Data Security Standards....
It is very rewarding to see how the industry is accepting our very original vision now.
