How to choose between source code reviews or Web application firewalls

For more on PCI Get the latest news, interviews, instructional videos and technical advice on the PCI Data Security Standard.

Of course, the decision could also depend upon architecture considerations and how well a WAF would work with existing systems and devices. A factor to consider, particularly for those leaning towards a third-party code review, is how comfortable the organization may be with the status of its code. Payment card applications develop over time and may include some legacy code of unknown origin and unclear purpose. Security staff may not want to remove legacy code and run the risk of breaking a mission-critical application. Placing a firewall in front of an application might be less costly, or less disruptive, than rewriting it in light of a code review.

Another approach is to use threat modeling to identify and evaluate the risks to an application. Take the top three critical risks and decide how best to remediate them: code review, vulnerability assessment or WAF. Be aware, though, that implementing a WAF will not eliminate the need for you to have a secure software development process in place (Requirement 6.3)! Application vulnerability assessments and code reviews both strengthen the development and quality assurance cycle.

Many of these choices are likely to be too costly for the small e-commerce site, so my recommendation here would be to outsource the payments to a third-party payment provider, which affectively outsources all of the expensive security requirements, including Web security, as well as the actual PCI DSS compliance. As long as you don't handle any of the card payments anywhere else, you don't need to be PCI DSS compliant.

Compliance vs. security
No matter what choices you make, many would debate whether PCI compliance equates to acceptable levels of security. Those responsible for security need to understand the limitations and capabilities of each option. Source code analysis alone may deliver compliance, but it's not the answer to application security. No one thing is. PCI DSS focuses on payment card applications and components related to PCI. It doesn't look at an organization and its entire networked operations in a holistic manner, requiring security to be implemented across the board.

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

Even with the clarifications provided by the PCI Requirement 6.6 Information Supplement, many merchants are still unsure of what actions are good enough to gain compliance. This leads to the classical compliance dilemma. If you promulgate a standard intended to increase security, you must be prepared to answer the question: "What must I do to comply with the standard?" Which quickly evolves into: "What is the minimum I can do to be in compliance?" If you view PCI compliance from the "check the box and move on" viewpoint, then a WAF appears the quick and easy option.

The PCI DSS, however, does give organizations the foundation for creating a secure architecture and business model they can operate on. It has also put security on the board room agenda. If you're concerned with security, getting PCI compliance will be a byproduct. Until your developers program securely, a layered security solution will always be the best approach for mitigating risks, in this case, one that includes code review, vulnerability assessment and a WAF. The WAF will be more effective once results from a vulnerability scan have been integrated into its configuration. This will provide protection while the source code is analyzed and corrected to eliminate the vulnerabilities.

Will vulnerabilities still come to light even after a PCI review? Sure, but not as many and hopefully not as serious. Costs and business drivers may result in lower levels of assessment and protection, but those are the real world business decisions that have to be taken.

For more information:

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Application and Platform Security,   Application Firewall Security,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management Application Firewall Security Web application firewall use goes beyond compliance, company finds Best Application Security Products Common PCI questions: Web application firewalls or source code review? IT pros find corporate firewall rules tough to navigate PCI compliance requirement 1: Firewalls Comparing an application proxy firewall and a gateway server firewall Citrix virtual desktop, app delivery controller includes security benefits Check Point adds virtual firewall appliance Web application firewall deployments gain traction Positive changes coming to ModSecurity PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.