nCircle.com >> 360 Security >> VERT

« Follow-Up: Microsoft Websites Open to Ethical Hackers | Main | OWASP Toronto Presentation - Building A Web Spider »

PCI Requirement 6.6 Update Released

It looks like the PCI Security Standards Council has posted their update to Requirement 6.6 (available here). They have provided information above and beyond what I mentioned last week. They have also provided a great deal of clarification around Web Application Firewalls.

Some interesting notes:

  • Reviews can be performed by qualified internal or external individuals. However, internal auditors should not fall into the same organizational unit as the developers.

  • There is text that identifies examples of where reviews will meet or exceed the quality of Web Application Firewalls. The two provided examples are:
    • Security reviews of source code during the development process.

    • Testing for the presence of web application vulnerabilities either manually or via a specialized tool

  • Testing must occur prior to the Web Application going live (Note: Of course this doesn't mean testing should stop there, on going testing is key. As Braden Williams put it today, "You have to MAINTAIN what is assessed")

Trey Ford has a great write-up and answers some additional questions that people may have... I highly recommend reading it.

Posted by Tyler Reguly on April 22, 2008 11:10 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/273

Comments (1)

Dani:

As the PCI Compliance deadline is coming soon on June 30th, We searched for the best solution in order to be ready and withstand with the PCI 6.6 segment requirements.
There are 2 options as you:
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
1. Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
2. Installing an application layer firewall in front of web-facing applications.

There are a few options we took into consideration:
1. Choosing between the first option or the
second option - Secure Coding or Web
Application Firewall.
2. Research and decide what will be the best
suitable solution for our needs.(18 Servers)

We were examined the dotDefender web application firewall (www.applicure.com)and found it to be very dynamic application to protect our servers. In addition we tested other products from Impreva.com and breach.com

After we research and compared the differences between the different solutions we found that a product called dotDefender withstand with the PCI 6.6 segment compliant as we needed.
The price was also an important issue comparing the maintenance cost needed with other solutions.

Dani.

Posted by Dani | April 24, 2008 2:29 AM

Posted on April 24, 2008 02:29

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on April 22, 2008 11:10 AM.

The previous post in this blog was Follow-Up: Microsoft Websites Open to Ethical Hackers.

The next post in this blog is OWASP Toronto Presentation - Building A Web Spider.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]