Q

The value of compliance-ready Web application security assessments

Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.

I recently read about a Web application security management provider offering what it calls a compliance-ready assessment. Is this snake oil, or can such a service actually support my compliance program?

Web application security is a critical component of many organizations' IT compliance programs due to the fact that Web applications often present one of the closest interactions between individuals outside the organization and the sensitive data stored within the organization's databases. SQL injection, cross-site scripting, cross-site request forgery and similar attacks present a significant risk of data compromise unless they're properly managed.

Web application security assessment products have been on the market for many years and are widely used by application development and information security professionals who seek to uncover hidden vulnerabilities in their organization's applications. In recent years, many of these products have also become available through managed security solution providers, or MSSPs, that take the burden of managing and executing vulnerability scans out of the hands of an organization's IT staff.

These products can certainly be compliance-ready and play an important role in supporting your organization's compliance program because they can strengthen the security of your Web applications. The important thing to recognize is that while they might assist you with complying with various security regulations, they can't make you compliant.

As with so many other categories of security products, you must remember that there is no silver bullet that will automatically make you compliant. For example, conducting scans with one of these products might satisfy your obligations under PCI DSS requirement 6.6, which requires you to either install a Web application firewall or review "public-facing Web applications via manual or automated application vulnerability assessment tools."

So, in short, there are plenty of solid Web app security assessment products and services out there, but don't let vendors' slick marketing efforts sway your decision. Always evaluate security products and services on their merits -- if a promise sounds too good to be true, it probably is.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

This was first published in June 2014
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close