Home > PCI DSS compliance: Web application firewalls (WAFs)
Learning Guide:
EMAIL THIS

PCI DSS compliance: Web application firewalls (WAFs)

03 Jul 2008 | SearchSoftwareQuality.com

Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

TABLE OF CONTENTS
   PCI DSS compliance: The basics
   PCI DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and PCI DSS



  Web application firewalls (WAFs)

The other option merchants have to comply with requirement 6.6 is implementation of a Web application firewall (WAF). The information supplement from the PCI council states "In the context of Requirement 6.6, an 'application firewall' is a Web application firewall (WAF), which is a security policy enforcement point positioned between a Web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components."

Our poll indicates that WAFs are an unpopular choice for SearchSoftwareQuality.com readers looking to comply with requirement 6.6. With only 11% of the vote, WAFs tied "Other" and was beaten by "Don't know."

  • Whatis.com definition: application firewall: This is NOT a network firewall; an application firewall has different duties and features.


  • Tip: The realities of using WAFs for PCI DSS 6.6 compliance: They may still let vulnerabilities in. Surprise! Besides this shocker, Kevin explores the suggestions for implementing WAFs in requirement 6.6 and finds them "pretty reasonable." However, he also outlines a few less obvious ways a WAF may not be a good choice for your company. In addition, Kevin again recommends steps companies should take -- regardless of PCI -- in order to be secure.


  • Article: Web application firewalls critical for application security: In early 2006, Colleen Frye interviewed a number of application security experts about WAFs and how they bolster security. These insights are more important now than ever.


  • Tip: Application firewall tips and tricks: Michael Cobb lays out the ground rules for selecting a WAF, integrating it with your system, and figuring how to make it work. Whitelisting, blacklisting, and auditing instructions are included.


  • Article: Let's talk Web application firewalls (WAFs): This is actually a blog post by noted application security expert Jeremiah Grossman, but it is thorough enough to be considered an article. Grossman is a fan of WAFs but understands their limitations. In "Can WAFs protect against business logic flaws?" Grossman discusses the ability of WAFs to prevent certain business logic attacks while also explaining what WAFs are incapable of preventing. WAFs are a piece, but a valuable piece, of the application security puzzle, he argues.


  • Article: Web application firewall market maturing: This is an older article, but its lessons still apply today to WAFs.

    • Visit our next section on Web application security and the PCI DSS.

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


    RELATED CONTENT
    Building security into the SDLC (Software development life cycle)
    Web application security and the PCI DSS
    PCI DSS compliance: Code review
    PCI DSS compliance: The basics
    PCI DSS compliance: WAF, code review or both?
    Application security careers have bright future
    Writing software requirements that address security issues
    Software Security Engineering: A Guide for Project Managers -- Chapter 3, Requirements Engineering for Secure Software
    PCI DSS compliance: Web application firewall or code review?
    Application security enters uncharted regions
    How to prevent XPath injection

    Software security testing and techniques
    How to learn white box testing
    Security vulnerabilities found in open source Java projects
    Fuzzing for Software Security Testing and Quality Assurance: Chapter 3, Testing for Quality
    Ajax security -- Is anyone listening?
    Critical security issues found in the Spring Framework
    Web application security and the PCI DSS
    PCI DSS compliance: Code review
    PCI DSS compliance: The basics
    PCI DSS compliance: WAF, code review or both?
    The realities of using WAFs for PCI DSS 6.6 compliance

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary


    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts