Requirement 6.6 of the PCI Data Security Standard (PCI DSS) offers two options to protect Web applications that handle payment card data against known attacks. The first is a review of all Web application code developed in-house, of which there are four alternative approaches, or deploy a Web application firewall (WAF) positioned between the Web application and the client.
In today's threat climate, a strong case can be made for both putting a WAF in front of Web-facing applications and having application code reviewed. The PCI Information Supplement for Requirement 6.6 actually states: "Proper implementation of both options would provide the best multi-layered defense." However, in this tough economic environment, many enterprises can't afford the resources to be able to master application code reviews and manage a WAF. Therefore the choice is vital to ensure the selected approach provides security and compliance while being cost effective.
The main argument in favor of taking the application firewall route to meet your PCI management and compliance obligations is that, if properly supported, it can actively protect against common as well as emerging threats, something a one-time code review can not. The most advanced WAFs use statistical analyses to "learn" appropriate requests and responses to and from target applications. Once these patterns have been learned, the firewall can block or alert when abnormal requests occur.
A code review might be able to list classes of attack against which the code is deemed secure, and a reviewer may be able to discount some emerging threats by referring to that list. A code review, however, does not provide a way to tweak application proxies in response to attacks. You may even already have the necessary WAF capabilities in your existing firewall. Some large firewall vendors offer Web application layer protection as add-on modules. This would greatly reduce the cost and effort of managing a separate WAF.
.
However, a WAF may be difficult to integrate into your existing architecture, complicating already complex systems. Some features, such as blocking unusual headers or content that does not conform to Web standards, may even cause your application to break, while disabling them may mean that you're no longer PCI-compliant.
Before purchasing a WAF, you must ensure that it can perform the functions detailed in the Information Supplement, such as preventing data leakage by analyzing outbound traffic and inspecting Web services' messages by parsing SOAP and XML. You then need to test whether, when properly configured, it can enforce all the requirements without breaking your application. The Information Supplement does cover some of the issues you need to consider to ensure it is deployed correctly and works effectively, including modifying a WAF's settings to correctly handle AJAX technologies.
Web application firewall costs
The cost of procuring, implementing and maintaining a WAF can be significant, and may work out to be more expensive than a code review. Total cost will depend upon the level of application traffic, ongoing licensing fees and personnel costs to manage and maintain it. Pricing varies between brands, but you could easily be looking at a purchase cost of around $5,000 for something that will handle around 900 MB of throughput with the high end being close to $100,000 for firewalls used to protect large, high-traffic financial portals. Open source software WAFs, such as AQTRONIX WebKnight, are an option if they meet your requirements. They can greatly reduce your costs, but you will still need staff to learn, install, configure and maintain them.
Installing a WAF is one thing; proactively managing it 24x7 is another. You will need to ensure that you have administrators with the ability and time to deal with alerts and new threats. A WAF can be a single point of failure for your website and is only as good as its configuration. For example, it only takes one oversight, say in whitelisting acceptable behavior referred to in the Information Supplement, to create a gaping hole. If you have staff on hand with the skills to tune and manage an application firewall, like the folks who are already running your enterprise firewall, these additional costs may only be nominal.
[The much-needed clarification document Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified released in February 2008 states more clearly what a WAF has to do and how extensive the code review has to be.]
For more information:
PCI management: The case for Web application firewalls
The PCI compliance case for source code review
How to choose between source code reviews or Web application firewalls
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
