|
What you need to know
Whenever new legislation or security requirements are introduced, those tasked with ensuring compliance often tend to rush the decision-making process. Many system administrators base their decision on a single vendor's sales pitch or a particular requirement or feature they've picked up on.
The result, more than likely, will be inappropriate or less than optimal security. Even a tight deadline doesn't absolve you of due diligence. To choose a security device such as a Web application firewall, you need to answer the following questions:
- What does it need to do based on your security policy objectives and legislative requirements?
- What additional services would be valuable?
- How will it fit into your existing network -- do you have the in-house skills to use it correctly and effectively?
- How will it affect existing services and users and at what cost?
New compliance ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
requirements such as PCI DSS require you to update or at least review your security policy before you can answer the first question. A good security policy defines your objectives and requirements for securing your data. That foundation allows you to define what security devices are appropriate to meet your requirements. Since each Web application is unique, security must be custom-tailored to protect against the potential threats identified during the threat modeling phase of your secure lifecycle development program. Review which of these threats the WAFs under consideration safeguard against--such as analyzing parameters passed via cookies or URLs and providing defenses against all of the OWASP Top Ten application vulnerabilities--as well as any additional requirements mandated for compliance.
|
 |
|
