[Owasp-ireland] Another PCI issue........

Sam Johnston samj at samj.net
Fri Apr 18 06:33:24 EDT 2008


To me this release reads like an advertisement for application firewalls,
which is not to say that is necessarily a bad thing (it makes sense to take
a close look at traffic bound to/from any sensitive web application). That
said, there's lots of wiggle room an a definition like 'application layer
firewall' - a poorly configured app firewall is as useful as teats on a
bull... it would be interesting to see this tightened up a bit over time if
it's not already.


On Fri, Apr 18, 2008 at 11:18 AM, davidrook <david.rook at realexpayments.com>

> I thought as Eoin stirred the hornets nest that is PCI DSS a few weeks
> ago I would post something on this subject as well.
> PCI point 6.6 has been causing a bit of confusion around what actually
> needs to be carried out by an organisation aiming to be PCI compliant.
> Requirement 6.6:
> Ensure that all web-facing applications are protected against known
> attacks by applying either of the following methods:
> • Having all custom application code reviewed for common vulnerabilities
> by an organization that specializes in application security
> • Installing an application layer firewall in front of web-facing
> applications.
> Note: This method is considered a best practice until June 30, 2008,
> after which it becomes a requirement.
> The code review point is where a lot of the confusion came from. In an
> attempt to clear the confusion up the PCI council have announced the
> following:
> The application code review option does not necessarily require a manual
> review of source code. Keeping in mind that the objective of Requirement
> 6.6 is to prevent exploitation of common vulnerabilities (such as those
> listed in Requirement 6.5), several possible solutions may be
> considered. They are dynamic and pro-active, requiring the specific
> initiation of a manual or automated process. Properly implemented, one
> or more of these four alternatives could meet the intent of Option 1 and
> provide the minimum level of protection against common web application
> threats:
> 1. Manual review of application source code
> 2. Proper use of automated application source code analyzer (scanning)
> tools
> 3. Manual web application security vulnerability assessment
> 4. Proper use of automated web application security vulnerability
> assessment (scanning) tools
> But more interestingly Bob Russo (President of the PCI council) said:
> "Personally, I'd love to see everyone go through on OWASP-based
> source-code review, but certainly, that's not going to happen," Russo
> said, referring to the expensive and time-consuming process of manual
> code reviews." "So the application firewall is probably the best thing
> to do, but there needs to be some clarification around what it needs to
> do."
> The point of this email is to see how you guys feel this could effect an
> organisations stance on Application Security? The PCI council seemed to
> be making a good step forward with requirement 6.6 but have they now
> diminished its effectiveness by stating you are better off not doing the
> source code review and just implementing an application firewall?
> --
> David Rook | david.rook at realexpayments.com
> Information Security Analyst
> Realex Payments
> Enabling thousands of businesses to sell online.
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080418/1435ca6d/attachment.html 

More information about the Owasp-ireland mailing list