[Owasp-pci-project] PCI 6.6

[McGovern, James F (HTSC, IT)]

 I have observed that many within OWASP don't buy into the section 6.6
recommendations that suggest that code review and WAFs are equivalent.
Likewise, I have also observed that WAFs are popular in that you can buy
a nice shiny box with colorful blinking lights that you can mount in
your rack in the datacenter and show executives who don't know any
better that you have made progress.

Maybe, one form of guidance is to compare code review and WAFs through
the lens of enterprise architecture. What is short-term, tactical and
doesn't provide much business lift. It introduces another hop which can
increase throughput/performance and likewise isn't doable on all
applications. Code review can be a better value proposition if we can
figure out how to convince others of its long term value.

Other than WebGoat, has anyone ever ran across an insecure but otherwise
well performing application that was written within a large enterprise
(note I left off shops who develop software as their sole mission)?
Security and quality are somewhat two sides of the same coin and it
isn't difficult to find business people who thinks that the performance
or other quality attributes of their IT systems suck.

We can kill two birds with one stone.
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************