Last week, the PCI Standards Council has issued a press release and a supplement document clarifying some of the ambiguous points in the PCI standard, including section 6.6. SecureSphere addresses 8 or 10 of the 12 PCI requirements (depends on interpretation and not all of the sections have a lengthy clarification), including web application security as well as the database security and cardholder data protection requirements. However, section 6.6 is one of the common use cases. Requirement 6.6, which becomes effective on June 30, 2008, provides two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected. The Information Supplement for requirement 6.6 gives organizations clarification on implementing application code reviews (option one) and/or application firewalls (option two).
The first option for application code review for meeting Requirement 6.6 is now subdivided
into four alternatives designed to meet the intent of the requirement. They include:
- Manual review of application source code
- Proper use of automated source code analyzer (scanning) tools
- Manual web application security vulnerability assessments
- Proper use of automated web application security vulnerability assessment (scanning) tools.
recommended capabilities for certain environments, additional considerations for organizations implementing a WAF and additional sources of information on Web application security).
Since PCI version 1.1 was introduced in 2006 we worked with hundred of organizations to meet the PCI requirement, ensuring that web application are protected and secured. During this time, we have learned that once a vulnerability is discovered in a production system, it may take weeks and even months until most organizations can patch, test and deploy the fix.
According to the PCI Standards Council, "The intent of Requirement 6.6 is to ensure web applications exposed to the public Internet are protected against the most common types of malicious input."
It adds that "Keeping in mind that the objective of Requirement 6.6 is to prevent exploitation of common vulnerabilities...Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum level of protection against common web application threats"
While scanners of any kind would be very useful during the development cycles or as part of the QA process, they will not be able to protect web applications once a new vulnerability is identified. In fact, it creates a new type of problem to the organization, as the managers running the scanners might be aware and accountable for newly discovered vulnerabilities that can not be fixed in due time.
Both technologies (actually all three) should be in use by organizations following best practices, but for those trying to get the most bang for the buck in the short term, the place to start is with a Web Application Firewall. WAFs are a faster and more cost-effective approach to meeting the PCI requirements without facing the accountability of knowing about a vulnerability, not to mention SecureSphere's other benefits as it addresses more than just section 6.6 alone.
