PCI DSS Requirement 6.6: Web Application Firewalls and Code Reviews

On June 30, 2008, PCI DSS requirement 6.6 takes effect, requiring that all merchants who operate public websites implement at least one of two controls:

• Install a web application firewall
• Perform application code reviews

Until recently, the meaning of these requirements has been quite unclear and subject to interpretation.  However, with the recent release of an information supplement, the PCI Security Standards Council clarified the requirements and laid out a clear path to compliance for merchants.  Let’s take a brief look at each of the two options.

Web Application Firewalls

The supplement defines application firewalls as “security policy enforcement point(s) positioned between a web application and the client endpoint”.  They further go on to say that the firewall may be implemented in either software or hardware, may be a standalone appliance, a server or a component of another device.  That description certainly opens a wide range of possibilities, and it’s designed to do so.

You can meet the intent of this requirement with any of a number of commercial and open source products.  The most obvious (and most expensive!) option is to install a dedicated web application firewall, such as the Barracuda Web Site Firewall. If you’re using an application proxy firewall, such as the Secure Computing Sidewinder G2 firewall, you can configure Application Defenses to monitor HTTP traffic and block malicious traffic from reaching your web servers.

If you do decide to go this route, consider using the Web Application Firewall Evaluation Criteria to guide your selection process.  That said, you should read the last four pages of the information supplement before going this route.  They outline a long list of criteria for web application firewalls but then use weasel words to introduce them, stating that “a web application firewall should be able to…”  What does that mean?  I guess we won’t find out for sure until someone gets audited and has a fine assessed for not having a “proper” web application firewall.

Application Code Reviews

The alternative to purchasing a web application firewall is to conduct a code review of your Internet-facing web applications.  At first glance, that might sound very daunting, until you read a line in the information supplement: “The application code review option does not necessarily require a manual review of source code.”

In fact, there are four options presented that fully meet the requirement:

1. Manually reviewing the source code (avoid this at all costs!)
2. Proper use of automated application source code analyzer (scanning) tools (that’s a possibility, if you’re writing your own code and have developers willing to work with those tools)
3. Manual web application security vulnerability assessment (that’s quite difficult and time-consuming)
4. Proper use of automated web application security vulnerability assessment (scanning) tools.  (there’s the money option!)

Option 4 allows you to have  a qualified security professional (an internal employee is fine, as long as it’s someone who understands the “proper use” of the tools), perform a web application scan with the assistance of an automated tool, such as HP’s WebInspect, Cenzic’s HailStorm or IBM’s AppScan.  I’ve been using WebInspect for a couple of years and have no major complaints.

Personally, I’m advising the merchants I work with to go the code review route and work with an automated tool.  It’s the more clearly defined of the two options and, given the complexity of properly configuring a web application firewall, is probably the path of least resistance.

What are you doing in your organization?  Comment on this post and chime in with your thoughts!

Photo by utpal