The payment card industry security standards council released a publication today providing paths for organizations to take to satisfy the PCI DSS v1.1 Requirement 6.6. As has been consistent, the council has recognized that confusion existed and parties were addressing this mandate in an inefficient and in some cases ineffective manner. The council provides several options for addressing the risks defined in the standard. These options include:
- Application Code Reviews – (not necessarily MANUAL all the time), and can be achieved through any of these approaches:
- Manual reviews (granted not possible on proprietary systems)
- Automated Source Code Scanners
- Manual Web Application Vulnerability Assessment
- Automated Web App Scanners
- Independence and qualification of individuals performing effort (internal or external) remains necessary
- Integration of these controls should occur and are nicely described in the clarification document (Page 3)
- Application Firewalls (WAF) – defined as a technology that inspects that packets and hence inputs crossing from an untrusted to trusted environment. In the PCI SSC own words:
- “…designed to inspect, evaluate, and react to the parts of an Internet Protocol (IP) message (packet) consumed by web applications, and therefore public applications frequently receive uninspected input.” (Page 4)
- The council is not advocating extra or redundant controls, but is ensuring that the packets are inspected. To this point they have highlighted that OTHER means of accomplishing and mitigating this risk are available such that “IT packet content adequately inspected (i.e., providing equivalent protection) by network firewalls, proxies, and other components do not have to be RE-INSPECTED by a WAF”.
- Page 5 has a few nice succinct bullets to describe the necessary functionality and inspection protocols highlighted (but certainly not forever set in stone) that must be included in Option 2 WAF.
A great document with lots of specifics to clear the air. Far superior than the information that was available after the ETA conference. There are some nice “Sources of Information” without links, so I have provided those to accelerate your efforts and research:
- OWASP Top Ten
- OWASP Countermeasures Reference
- OWASP Application Security FAQ
- Build Security In (Dept. of Homeland Security, National Cyber Security Division)
- Web Application Vulnerability Scanners (National Institute of Standards and Technology)
- Web Application Firewall Evaluation Criteria (Web Application Security Consortium)
As always – add comments to enhance and improve our community and the controls under discussion.
- IT Compliance and Controls – specific best practices that focus on these risks (my most recent publication)
- NIST SP800-64 Revision 1 – Security considerations in an SDLC
- FFIEC Workbook – SDLC