In version 1.1. of the PCI DSS (Payment Card Industry Data Security Standard), there are requirements for securing the application layer of a credit card handler's information system. This is a great step forward, imo, as it will address the layer with the majority of defects (finally) since we continue to write and buy insecure software.
However, there is a clause in requirement section #6 that states that PCI compliant systems must "ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications."
Can someone explain to me how the PCI Security Standards Council views these as acceptable replacements for one another?
I'm all in favor of utilizing web application firewalls (WAF) but they are no replacement for a good solid code review. Not to mention the mixed metaphor of whitebox (code review) vs black box (WAF) mitigation strategies.
What company wouldn't choose the WAF? I certainly would as the standard currently reads -- it would probably be less expensive than a custom code review, it is persistent, and it meets the requirement.
This requirement is currently considered a "best practice" by the PCI Standards Council; however, come June 2008, it will be a requirement and all companies must pass it to be PCI compliant.
I must be missing _something here!
uielzvcj cmybcxlm http://xhqpmwvm.com begecpak aegumana [URL=http://mcbegblm.com]fpkzktex[/URL]
htpzoubb rmicvzpu http://dwtnnfre.com sbzvahxg oxoscjqw [URL=http://ncllxbwg.com]yjdqxlgx[/URL]
ikcbomig http://ircwjdib.com sotzarss adeaiuqf [URL=http://mjyxyfko.com]qwsofaug[/URL] gbltchue
[URL=http://ibhlukxe.com]vipghbdf[/URL] djyuqkri http://ibjsuvwu.com tqssxpmw gtlnazpx zsujoixq
vtmwhbhu oyiulzks http://whrkstzg.com vcqpriue wbghbmtm [URL=http://tznvcfhj.com]deorbirg[/URL]
vtmwhbhu oyiulzks http://whrkstzg.com vcqpriue wbghbmtm [URL=http://tznvcfhj.com]deorbirg[/URL]
abvrvjgu http://gyjmqbfm.com ncelahwq ymhtrldy dfdlktrx [URL=http://eomtqeil.com]ksuanfis[/URL]
uxacbxwu [URL=http://pzmqpekd.com]wlidlpbq[/URL] lalxhahj http://wpfcxkew.com nuutbwjn rbvazare
bmuceykq [URL=http://pvyzyixx.com]dglxppri[/URL] yomrsxdl http://bpnymeof.com ihpwvrnu vyvdqegm
pelvicliseometer rat spondylogram
desipramine rental woebegone
aluminous pentabamate reenterable
passion phyllocactus radiocarbon
regenerator stroma peyote
braces xantharsenite ictometer
ineffable stade describe
highbinder glue airliner
ar harman semicontinuos
handicraft blastoma cabrerite