Argus - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the compliance requirements for Web application firewalls?

Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.

We're getting ready to purchase a new Web application firewall. Have PCI DSS or any other compliance mandates from...

the past few years changed the features that we should look for in our WAF? Do WAFs have specific compliance-related controls?

Web application firewalls (WAFs) are specialized security devices that protect Web-based applications from common exploits, such as SQL injections, cross-site scripting and other security flaws. WAFs may be hardware appliances, virtual servers or Web server plug-ins that analyze Web requests for suspicious content before allowing the Web server to process the request. It is important to note that Web application firewalls perform a completely different function than network firewalls and supplement, rather than replace, those devices.

PCI DSS does not explicitly require Web application firewalls but rather proposes them as one of two options for meeting PCI DSS Requirement 6.6. This requirement mandates that organizations address new Web-based threats and protect Web applications against known attacks. Organizations may meet requirement 6.6 by either conducting application vulnerability security assessments or installing a WAF.

Many organizations feel that WAFs are the least time-consuming route and provide greater security benefit by actively protecting against attacks rather than simply identifying vulnerabilities that developers and system administrators must later correct. Organizations that choose the WAF route should be aware of four requirements for a PCI DSS-acceptable WAF:

  • The WAF must be placed in front of public-facing Web applications
  • It must be actively running with current security updates
  • It must generate audit logs
  • The WAF must either block Web-based attacks or generate alerts for suspicious activity

Many vendors produce WAF products that meet these requirements and form an important component of an organization's security infrastructure. The WAF protects Web applications from direct exposure to the Internet, filtering out malicious requests before they reach targeted applications.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Start at the beginning with this introduction to Web application firewalls and then find out the four big questions to ask before buying one for your enterprise

This was last published in August 2015

Dig Deeper on PCI Data Security Standard