Olivier Le Moal - Fotolia
PCI DSS Requirement 6.6 indicates that when it comes to application security, companies have two options to achieve compliance: use an application firewall or conduct a code review. My team would like to keep costs down, but which one is ultimately the less expensive option?
PCI DSS Requirement 6.6 requires the implementation of security controls to address the risks facing public-facing Web applications. If a company operates a public-facing Web presence as part of its cardholder data environment, there are two options for compliance: conducting Web vulnerability assessments or installing a Web application firewall.
It's not possible for me to give a simple answer regarding the cost without more information about your organization and its operating environment. In most cases, expect the Web application firewall to be the more cost-effective route, especially when staff time is taken into consideration. If a company chooses to install a Web application firewall and it already has a robust security monitoring infrastructure, once it's past the initial deployment and tuning phase, it can simply point the alerts at the monitoring infrastructure and handle them as part of the same workflow that addresses intrusion alerts and other security anomalies.
Vulnerability assessment may have lower direct costs related to licensing and hardware acquisition, but it is likely to consume much more staff time in running and interpreting the scan results. The important thing to note is that a Web vulnerability assessment requirement is not a one-time activity. Rather, it requires performing testing on at least an annual basis and after any changes to the Web application. If the code changes regularly, this can result in a significant burden on the security staff.
The bottom line is that it's important to evaluate these two options side by side in the context of the organization. Remember, this is not simply a compliance decision. Both options are valuable security tools, and companies should consider the role they play in their broader security program. In fact, while PCI DSS requires the implementation of only one of these controls, your own security requirements may suggest implementing them both simultaneously.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Need to know how to meet PCI DSS requirements 9 and 10? Mike Rothman has some advice.
Mike Chapple explains how to maintain PCI DSS compliance with Windows XP end-of-life.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading