Code Review or WAFs? PCI 6.6

by Ulf Mattsson – CTO of Protegrity – Wednesday, 28 January 2009.

Short answer: both. Compliance with requirement 6.6 of the PCI DSS cites the use of either a web application firewall (WAF) or code review. It’s far more effective to combine both.

Ultimately, you want to build the vulnerability scanning and testing phase into your development process. Realistically, however, enterprises should be more concerned about the applications they’ve already deployed than about revamping their QA process. Enterprises should attack the problem first by identifying all their sites and the applications running on them. An audit by a third-party expert and a through scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. And a WAF will keep the criminals out and the applications running while you’re working to correct problems. The best web application firewalls feature threat level driven security policy escalation capable of dynamically adjusting protection levels as conditions warrant.

Unfortunately there are many classes of vulnerabilities which automated tools cannot easily spot, so we must also utilize other methods for identifying the “false negatives” – vulnerabilities that exist in the code, but were missed. The two primary approaches used for web application testing are “Fault Injection” and “Source Code Analysis.” The former focuses on interactive testing of a website, trying to force error conditions.

Qualys: This free security guide describes the scanning requirements for PCI-DSS and provides a quick-reference requirements matrix for both Merchants and Service Providers of all levels.

Source Code Analysis looks at how data flows through an application and where the application might be manipulated. (These are necessarily simplistic explanations of complex procedures that are beyond the scope of this short article.) I prefer using a mix of both approaches, known as “Grey Box Assessment,” to gain the most complete picture possible of an application’s security profile. Grey Box also combines aspects of White Box assessment, conducted with full access of an application’s functional specifications and source code, and Black Box assessments, where a tester begins work with absolutely no knowledge of the application.

Since there are potentially an infinite number of tests that can be run when testing an application, the best-practice approach is to risk-prioritize the work. Designate critical application areas as highest risk, and etc. in descending order of perceived risk, and thoroughly test what most needs to be tested. Then audit the network regularly to spot any problems, develop a process for patching and correcting code, and consider scheduling security audits conducted by outside experts on a yearly basis.

Code review and penetration testing, teamed with sound policies, procedures and smart technology, will help put malicious hackers out of the data-stealing business. Layers of security is far from a new idea, but it will remain valid for years to come.

via Code Review or WAFs? PCI 6.6.