We're getting ready to purchase a new Web application firewall. Have PCI DSS or any other compliance mandates from...
the past few years changed the features that we should look for in our WAF? Do WAFs have specific compliance-related controls?
Web application firewalls (WAFs) are specialized security devices that protect Web-based applications from common exploits, such as SQL injections, cross-site scripting and other security flaws. WAFs may be hardware appliances, virtual servers or Web server plug-ins that analyze Web requests for suspicious content before allowing the Web server to process the request. It is important to note that Web application firewalls perform a completely different function than network firewalls and supplement, rather than replace, those devices.
PCI DSS does not explicitly require Web application firewalls but rather proposes them as one of two options for meeting PCI DSS Requirement 6.6. This requirement mandates that organizations address new Web-based threats and protect Web applications against known attacks. Organizations may meet requirement 6.6 by either conducting application vulnerability security assessments or installing a WAF.
Many organizations feel that WAFs are the least time-consuming route and provide greater security benefit by actively protecting against attacks rather than simply identifying vulnerabilities that developers and system administrators must later correct. Organizations that choose the WAF route should be aware of four requirements for a PCI DSS-acceptable WAF:
- The WAF must be placed in front of public-facing Web applications
- It must be actively running with current security updates
- It must generate audit logs
- The WAF must either block Web-based attacks or generate alerts for suspicious activity
Many vendors produce WAF products that meet these requirements and form an important component of an organization's security infrastructure. The WAF protects Web applications from direct exposure to the Internet, filtering out malicious requests before they reach targeted applications.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading