The PCI Data Security Standard (PCI DSS) requirement for securing Web applications takes effect Monday, and while some companies have figured out a compliance strategy, others are still sorting one out.
Requirement 6.6 gives merchants and other organizations that need to be PCI-compliant two options for protecting Web applications -- application code reviews and Web application firewalls. The requirement has been a best practice for two years, which gave companies a long lead time to put a strategy in place before Monday's deadline, said Diana Kelley, founder and partner at consulting firm Security Curve.
Level 1 merchants -- those with more than 6 million payment card transactions annually -- are especially prepared, having been advised by auditors for several months on the requirement, said Terri Quinn-Andry, compliance solutions manager at Cisco Systems Inc. But Level 2 and 3 merchants are more likely to be scrambling, she added. "They're just starting to think what they need to do around it."
Branden Williams, a director at VeriSign Inc. and a PCI DSS Qualified Security Assessor, said some companies are "still in panic mode" over Requirement 6.6.
For companies that have a compliance strategy in order, Quinn-Andry said she's seeing a combination of code review and Web application firewall. The PCI Security Standards Council said "proper implementation of both options would provide the best multi-layered defense" in guidance issued earlier this year.
"The best practice is you do both," Quinn-Andry said. "You put in a Web application firewall and also perform source code review, especially on Web applications that have been built in-house versus commercially bought."
The PCI SSC outlined four alternatives for fulfilling the code review option: manual review of application source code, proper use of automated application source scanning tools, manual Web application security vulnerability assessment, and proper use of automated Web application security vulnerability scanning tools.
Quinn said she does see a split between some small and large organizations, with smaller ones saying they can't afford a Web application firewall and opting for source code review, and larger ones planning on putting in a firewall first and then seeing if they need to do anything else.
Dave Shackleford, director of Configuresoft Inc.'s center for policy and compliance, said he's seeing the same trend, with midsized to larger companies choosing Web application firewalls because it's easier to buy a box and plop it in the network than to conduct a detailed code review.
"The key here is that the standard doesn't mandate turning on the blocking mode, so they can just put it [the firewall] in 'learning mode' indefinitely," he wrote in an email.
Smaller companies are just as likely to consider code review options since the costs are reasonable, Shackleford said. They might buy software to do their own analysis and then get a third party to check their code after they fixed problems. Or, since that can be expensive, they might just outsource the entire project and fix flaws after the review, especially if they only have a small code base or few applications, he added.
Overall, though, more companies opt for the Web application firewall, said Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting Inc.
"Most are going for an application-level firewall because it's relatively easy compared to finding someone competent to do code review, and you can only really do code review on software where you have access to the source code, so purchased software usually can't be reviewed," he said in an email.
But Security Curve's Kelley said she's heard some recent complaints about the time required to configure and manage Web application firewalls, which is making some companies rethink code review.
Williams said VeriSign recommends code review over the application firewall. "The code review will find the problem at the source versus the Web application firewall, which as long as its tuned correctly, it will find the bad things."
Ultimately, though, he said he thinks customers will opt for a hybrid strategy, with the Web application firewall likely implemented in passive mode along with formal code reviews. "Application vulnerabilities are continuing to increase and until we fix the education system and teach secure coding at universities, we're going to have this problem," Williams said.