Requirement 6.6 of the PCI Data Security Standard (PCI DSS) offers two options to protect Web applications that
handle payment card data against known attacks. The first is a review of all Web application code developed in-house, of which there are four alternative approaches, or deploy a Web application firewall (WAF) positioned between the Web application and the client.
In today's threat climate, a strong case can be made for both putting a WAF in front of Web-facing applications and having application code reviewed. The PCI Information Supplement for Requirement 6.6 actually states: "Proper implementation of both options would provide the best multi-layered defense." However, in this tough economic environment, many enterprises can't afford the resources to be able to master application code reviews and manage a WAF. Therefore the choice is vital to ensure the selected approach provides security and compliance while being cost effective.
The main argument in favor of taking the application firewall route to meet your PCI management and compliance obligations is that, if properly supported, it can actively protect against common as well as emerging threats, something a one-time code review can not. The most advanced WAFs use statistical analyses to "learn" appropriate requests and responses to and from target applications. Once these patterns have been learned, the firewall can block or alert when abnormal requests occur.
. However, a WAF may be difficult to integrate into your existing architecture, complicating already complex systems. Some features, such as blocking unusual headers or content that does not conform to Web standards, may even cause your application to break, while disabling them may mean that you're no longer PCI-compliant.
Before purchasing a WAF, you must ensure that it can perform the functions detailed in the Information Supplement, such as preventing data leakage by analyzing outbound traffic and inspecting Web services' messages by parsing SOAP and XML. You then need to test whether, when properly configured, it can enforce all the requirements without breaking your application. The Information Supplement does cover some of the issues you need to consider to ensure it is deployed correctly and works effectively, including modifying a WAF's settings to correctly handle AJAX technologies.
The cost of procuring, implementing and maintaining a WAF can be significant, and may work out to be more expensive than a code review. Total cost will depend upon the level of application traffic, ongoing licensing fees and personnel costs to manage and maintain it. Pricing varies between brands, but you could easily be looking at a purchase cost of around $5,000 for something that will handle around 900 MB of throughput with the high end being close to $100,000 for firewalls used to protect large, high-traffic financial portals. Open source software WAFs, such as AQTRONIX WebKnight, are an option if they meet your requirements. They can greatly reduce your costs, but you will still need staff to learn, install, configure and maintain them.
Installing a WAF is one thing; proactively managing it 24x7 is another. You will need to ensure that you have administrators with the ability and time to deal with alerts and new threats. A WAF can be a single point of failure for your website and is only as good as its configuration. For example, it only takes one oversight, say in whitelisting acceptable behavior referred to in the Information Supplement, to create a gaping hole. If you have staff on hand with the skills to tune and manage an application firewall, like the folks who are already running your enterprise firewall, these additional costs may only be nominal.
[The much-needed clarification document Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified released in February 2008 states more clearly what a WAF has to do and how extensive the code review has to be.]
For more information:
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.