Responding to a wave of criticism and confusion surrounding the imminent deadline for a new section of the PCI Data Security Standard regarding Web application security, the PCI Security Standards Council on Tuesday released documentation intended to clarify the requirements for securing Web applications.
The clarification is meant to settle some of the confusion regarding the pending enforcement of PCI DSS Requirement 6.6 , which covers application firewalls and code reviews.
Security practitioners and industry observers had criticized the language in the new requirement, saying that it was unclear whether organizations needed to perform a code review and deploy a Web application firewall, or whether one or the other is sufficient. The new document explains that companies can do either the code review or install the application firewall, but that the council would ideally like to see them do both.
"The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding Web application vulnerabilities," the council wrote in its guidance. "Proper implementation of both options would provide the best multi-layered defense. PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations. However, it should be possible to apply at least one of the alternatives described in this paper and proper implementation can meet the intent of the requirement."
For organizations considering the application code review option, the PCI SSC laid out some more detailed information on what qualifies as a code review. For example, the new guidance defines such reviews as being "dynamic and pro-active, requiring the specific initiation of a manual or automated process." The four options for code reviews that meet Requirement 6.6 include:
- Manual review of application source code
- Proper use of automated application source code analyzer tools
- Manual Web application security vulnerability assessment
- Proper use of automated Web application security vulnerability assessment tools
As for the Web application firewall, the PCI SSC specifies that the firewall be "a security policy enforcement point positioned between a Web application and the client end point." That's a fairly broad definition, and the new guidance further broadens it by saying that the firewall can be either a dedicated appliance or a software application running on a server.
However, the council is careful to say that simply deploying one of these protection methods is not enough to guarantee compliance with Requirement 6.6. "Note that compliance is not assured by merely implementing a product with the capabilities described in this paper," the guidance says. "Implementing a [Web application firewall] is one option to meet Requirement 6.6 and does not eliminate the need for a secure software development process."
Requirement 6.6 is due to go into effect on June 30.