Problem solve Get help with specific problems with your technologies, process and projects.

How to choose between source code reviews or Web application firewalls

Michael Cobb explains how to make the right choice between Web application firewalls or source code security reviews.

Before you decide whether a source code review or Web application firewalls best meet your PCI DSS compliance needs, I recommend taking time to fully understand PCI's Web application requirements, including the clarification documents, and consider how the approved options mesh with your architecture and resources. It is now clear that enterprises have multiple paths to compliance and, if executed properly, any of the options will not only help achieve compliance, but also improve Web application security.

Of course, there is no one-size-fits-all approach to application security. Unless you are in the fortunate position to be able to both conduct code reviews and run a WAF, it looks like the choice may simply come down to people. Does the enterprise have staff that can:

  • Configure and maintain an application-layer firewall?
  • Perform a code review?
  • Use a third-party vulnerability detection tool and fix any problems the review uncovers?

    For more on PCI

    Get the latest news, interviews, instructional videos and technical advice on the PCI Data Security Standard.
    Of course, the decision could also depend upon architecture considerations and how well a WAF would work with existing systems and devices. A factor to consider, particularly for those leaning towards a third-party code review, is how comfortable the organization may be with the status of its code. Payment card applications develop over time and may include some legacy code of unknown origin and unclear purpose. Security staff may not want to remove legacy code and run the risk of breaking a mission-critical application. Placing a firewall in front of an application might be less costly, or less disruptive, than rewriting it in light of a code review.

    Another approach is to use threat modeling to identify and evaluate the risks to an application. Take the top three critical risks and decide how best to remediate them: code review, vulnerability assessment or WAF. Be aware, though, that implementing a WAF will not eliminate the need for you to have a secure software development process in place (Requirement 6.3)! Application vulnerability assessments and code reviews both strengthen the development and quality assurance cycle.

    Many of these choices are likely to be too costly for the small e-commerce site, so my recommendation here would be to outsource the payments to a third-party payment provider, which affectively outsources all of the expensive security requirements, including Web security, as well as the actual PCI DSS compliance. As long as you don't handle any of the card payments anywhere else, you don't need to be PCI DSS compliant.

    Compliance vs. security
    No matter what choices you make, many would debate whether PCI compliance equates to acceptable levels of security. Those responsible for security need to understand the limitations and capabilities of each option. Source code analysis alone may deliver compliance, but it's not the answer to application security. No one thing is. PCI DSS focuses on payment card applications and components related to PCI. It doesn't look at an organization and its entire networked operations in a holistic manner, requiring security to be implemented across the board.

    Don't miss need-to-know info!

    Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
    Even with the clarifications provided by the PCI Requirement 6.6 Information Supplement, many merchants are still unsure of what actions are good enough to gain compliance. This leads to the classical compliance dilemma. If you promulgate a standard intended to increase security, you must be prepared to answer the question: "What must I do to comply with the standard?" Which quickly evolves into: "What is the minimum I can do to be in compliance?" If you view PCI compliance from the "check the box and move on" viewpoint, then a WAF appears the quick and easy option.

    The PCI DSS, however, does give organizations the foundation for creating a secure architecture and business model they can operate on. It has also put security on the board room agenda. If you're concerned with security, getting PCI compliance will be a byproduct. Until your developers program securely, a layered security solution will always be the best approach for mitigating risks, in this case, one that includes code review, vulnerability assessment and a WAF. The WAF will be more effective once results from a vulnerability scan have been integrated into its configuration. This will provide protection while the source code is analyzed and corrected to eliminate the vulnerabilities.

    Will vulnerabilities still come to light even after a PCI review? Sure, but not as many and hopefully not as serious. Costs and business drivers may result in lower levels of assessment and protection, but those are the real world business decisions that have to be taken.

    For more information:

  • PCI management: The case for Web application firewalls
  • The PCI compliance case for source code review
  • How to choose between source code reviews or Web application firewalls

    About the author:
    Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

  • This was last published in April 2009

    Dig Deeper on Application firewall security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.