<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
I too was wondering how much of a boon 6.6 would be to the WAF vendors and/or the companies that do security code reviews. That is, until 4/22, when the PCI SSC issued a press release (https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf) announcing an information supplement clarifying requirement 6.6 (https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf).<br><br>Clearly, completing security code reviews on all of those web applications and/or protecting them with those expensive "magic pizza boxes," which, last time that I checked (almost 2 years ago now) were running about $35K to start, wasn't going to happen any time soon. <br><br>The good news from that "information supplement" is that the PCI Security Standards Council defined what they mean by an application firewall and specified what it is supposed to do; the less good news is that they specified 4 alternative methods for satisfying the code review option: 1. manual security code review, 2. automated security code review, 3. manual web application vulnerability scan, and 4. automated web application vulnerability scan. While I think automation of code reviews and vulnerability scans is essential, I also believe that none of the automated tools are yet sufficient (completeness-wise) without some additional manual effort.<br><br>So, unfortunately for the WAF vendors, people can just use a static source code analysis tool or a web application vulnerability scanner instead of purchasing and deploying a WAF.<br><br>Michael<br><br>> Date: Mon, 30 Jun 2008 09:17:34 -0500<br>> From: gunnar@arctecgroup.net<br>> To: ken@krvw.com<br>> CC: SC-L@securecoding.org<br>> Subject: Re: [SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance<br>> <br>> for the vast majority of the profession - slamming the magic pizza box in a rack <br>> is more preferable than talking to developers. in many cases the biggest barrier <br>> to getting better security in companies is the so-called information security <br>> group. it has very little to do with technology, its a people problem.<br>> <br>> -gp<br>> <br>> Kenneth Van Wyk wrote:<br>> > Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear <br>> > often.)<br>> > <br>> > http://www.internetnews.com/ec-news/article.php/3755916<br>> > <br>> > In talking with my customers over the past several months, I always find <br>> > it interesting that the vast majority would sooner have root canal than <br>> > submit their source code to anyone for external review. I'm betting PCI <br>> > 6.6 has been a boon for the web application firewall (WAF) world.<br>> > <br>> > <br>> > Cheers,<br>> > <br>> > Ken<br>> > <br>> > -----<br>> > Kenneth R. van Wyk<br>> > SC-L Moderator<br>> > KRvW Associates, LLC<br>> > http://www.KRvW.com<br>> > <br>> > <br>> > <br>> > <br>> > ------------------------------------------------------------------------<br>> > <br>> > _______________________________________________<br>> > Secure Coding mailing list (SC-L) SC-L@securecoding.org<br>> > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l<br>> > List charter available at - http://www.securecoding.org/list/charter.php<br>> > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)<br>> > as a free, non-commercial service to the software security community.<br>> > _______________________________________________<br>> _______________________________________________<br>> Secure Coding mailing list (SC-L) SC-L@securecoding.org<br>> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l<br>> List charter available at - http://www.securecoding.org/list/charter.php<br>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)<br>> as a free, non-commercial service to the software security community.<br>> _______________________________________________<br><br /><hr />The i’m Talkathon starts 6/24/08. For now, give amongst yourselves. <a href='http://www.imtalkathon.com?source=TXT_EML_WLH_LearnMore_GiveAmongst' target='_new'>Learn More</a></body>
</html>