Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, June 26, 2008

Web firewalls trumping other options as PCI deadline nears

Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts.  The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS).  Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications.

The controls have been a recommended best practice for nearly two years now, but starting June 30, they will become a mandatory requirement under PCI—especially for so-called Level 1 companies that handle more than 6 million payment card transactions a year.

Under the requirement (PCI Section 6.6), merchants can choose to implement a specialized firewall to protect their Web applications, or to perform an automated or manual application code review and fix any flaws found.  Companies also have the option of performing either a manual or an automated vulnerability assessment scan of their Web application environment, fixing any problems that are discovered during that process.

The controls are supposed to protect Web applications from common threats like SQL Injection attacks, buffer overflows and cross-site scripting vulnerabilities.  For instance, excess-inventory retailer chose to install a Web application firewall from Breach Security Inc. rather than take any of the other options.  Going that route was considerably cheaper than doing an application code review, said Bear Terburg, manager of network engineering at  The tool was “much easier” to implement that any of the other compliance options available under PCI 6.6, said John Halamka, CIO at Harvard Medical School.  “The effort of going through application code every time a new vulnerability is discovered would be a far more daunting task.”  The firewall also makes ongoing recommendations for tuning or adding new signatures when a new vulnerability is discovered or to block out specific Web threats, he said.

Bob Russo, general manager of the PCI Security Council, said that so far his organization does not have a clear indication of what companies are doing in terms of complying with PCI 6.6.

Posted on 06/26