We're getting ready to purchase a new Web application firewall. Have PCI DSS or any other compliance mandates from...
the past few years changed the features that we should look for in our WAF? Do WAFs have specific compliance-related controls?
Web application firewalls (WAFs) are specialized security devices that protect Web-based applications from common exploits, such as SQL injections, cross-site scripting and other security flaws. WAFs may be hardware appliances, virtual servers or Web server plug-ins that analyze Web requests for suspicious content before allowing the Web server to process the request. It is important to note that Web application firewalls perform a completely different function than network firewalls and supplement, rather than replace, those devices.
PCI DSS does not explicitly require Web application firewalls but rather proposes them as one of two options for meeting PCI DSS Requirement 6.6. This requirement mandates that organizations address new Web-based threats and protect Web applications against known attacks. Organizations may meet requirement 6.6 by either conducting application vulnerability security assessments or installing a WAF.
Many organizations feel that WAFs are the least time-consuming route and provide greater security benefit by actively protecting against attacks rather than simply identifying vulnerabilities that developers and system administrators must later correct. Organizations that choose the WAF route should be aware of four requirements for a PCI DSS-acceptable WAF:
- The WAF must be placed in front of public-facing Web applications
- It must be actively running with current security updates
- It must generate audit logs
- The WAF must either block Web-based attacks or generate alerts for suspicious activity
Many vendors produce WAF products that meet these requirements and form an important component of an organization's security infrastructure. The WAF protects Web applications from direct exposure to the Internet, filtering out malicious requests before they reach targeted applications.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.