PCI Council issues clarification on Web application security

By Dennis Fisher, Executive Editor 22 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Responding to a wave of criticism and confusion surrounding the imminent deadline for a new section of the PCI Data Security Standard regarding Web application security, the PCI Security Standards Council on Tuesday released documentation intended to clarify the requirements for securing Web applications.

The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. PCI Security Standards Council

The clarification is meant to settle some of the confusion regarding the pending enforcement of PCI DSS Requirement 6.6 , which covers application firewalls and code reviews.

Security practitioners and industry observers had criticized the language in the new requirement, saying that it was unclear whether organizations needed to perform a code review and deploy a Web application firewall, or whether one or the other is sufficient. The new document explains that companies can do either the code review or install the application firewall, but that the council would ideally like to see them do both.

"The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding Web application vulnerabilities," the council wrote in its guidance. "Proper implementation of both options would provide the best multi-layered defense. PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations. However, it should be possible to apply at least one of the alternatives described in this paper and proper implementation can meet the intent of the requirement."

PCI DSS: Next version of PCI DSS due in September: PCI Security Standards Council GM Bob Russo says tweaks and clarifications are expected in the areas of wireless and application security. PCI DSS emergency: What to do if you're (very) late to the game: The PCI DSS compliance deadline has already passed for top-tier merchants, and an even larger group of enterprises will face their deadline at the end of 2007. A new twist on PCI DSS: Visa's Payment Application Best Practices: To force more security into payment application development procedures, the Payment Card Industry Security Standards Council is in the process of adding a new provision to the PCI Data Security Standard (DSS), one based on Visa's Payment Application Best Practices (PABP).

For organizations considering the application code review option, the PCI SSC laid out some more detailed information on what qualifies as a code review. For example, the new guidance defines such reviews as being "dynamic and pro-active, requiring the specific initiation of a manual or automated process." The four options for code reviews that meet Requirement 6.6 include:

• Manual review of application source code
• Proper use of automated application source code analyzer tools
• Manual Web application security vulnerability assessment
• Proper use of automated Web application security vulnerability assessment tools

As for the Web application firewall, the PCI SSC specifies that the firewall be "a security policy enforcement point positioned between a Web application and the client end point." That's a fairly broad definition, and the new guidance further broadens it by saying that the firewall can be either a dedicated appliance or a software application running on a server.

However, the council is careful to say that simply deploying one of these protection methods is not enough to guarantee compliance with Requirement 6.6. "Note that compliance is not assured by merely implementing a product with the capabilities described in this paper," the guidance says. "Implementing a [Web application firewall] is one option to meet Requirement 6.6 and does not eliminate the need for a secure software development process."

Requirement 6.6 is due to go into effect on June 30.

Tags: PCI Data Security Standard,  Application Firewall Security,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI management: The case for Web application firewalls MasterCard increases PCI compliance requirements for some merchants PCI compliance requirement 1: Firewalls PCI compliance requirement 2: Defaults PCI compliance requirement 5: Antivirus PCI compliance requirement 4: Encrypt transmissions PCI compliance requirement 3: Protect data PCI compliance requirement 6: Systems and applications PCI compliance requirement 8: Unique IDs PCI compliance requirement 10: Auditing Application Firewall Security Common PCI questions: Web application firewalls or source code review? Citrix virtual desktop, app delivery controller includes security benefits How to choose between source code reviews or Web application firewalls Check Point adds virtual firewall appliance Web application firewall deployments gain traction Positive changes coming to ModSecurity Best practices for application-level firewall selection and deployment Will firewalls have to adapt to applications that use port 80? NAC, disk encryption gaining attention, survey shows Comparative Product Review: Six Web Application Firewalls Web Application Security Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary