The heat is on for web application firewalls now days. But what is making it so popular at this time than ever before? The only thing coming to my mind is PCI DSS requirement 6.6. According to this requirement, all web facing applications need to be protected against known attacks either by having the application source code reviewed for common vulnerabilities by an organization specializing in application security or by installing an application layer firewall in front of the web facing application. The deadline for meeting this requirement is 30th June 2008.
Even though you need to meet one of these requirements to become PCI compliant, wouldn't it make more sense for a security conscious organization to adopt both these measures, one during development and the other in production?
That said this may only be feasible for all those applications which are still in development or near completion. But what happens to all those applications which are already in production for a long time now, having complex mulit-tier architectures along with all those legacy systems in place. Is it really feasible to get the source code reviewed for all these applications, and if its done, is it really possible to remediate all those vulnerabilities found during source code review to meet PCI deadline. Probably not, for such a short period of time. Does that mean the only option left for these applications is the web application firewalls? If that's the case, can we assume that once put in place, web application firewalls are going to act as silver bullets for all these applications. I hope not! There are several open source and commercial web application firewalls available in the market and each one comes with its own benefits and shortcomings. I don't think that any one of these firewalls would be able to protect all these applications against all sorts of current and future attacks. WASC has developed a set of WAF evaluation criteria to assess the quality of various WAF solutions available in the market.
So what would be the best approach? I would say that web application firewalls may be used as first line of defense for all those applications which are already in production to meet PCI requrements. This way these applications will have enough time to get the source code reviewed and the developers would have enough time on their hands to resolve the issues discovered during the source code review. On the other hand, applications which are still in development or near completion may go through source code review to identify and eliminate as many vulnerabilities as possible at this early stage, and then a web application firewall may be put in place to protect these applications further in production environments.
Don’t you think its defense in depth for web application security? I think it is….
Even though you need to meet one of these requirements to become PCI compliant, wouldn't it make more sense for a security conscious organization to adopt both these measures, one during development and the other in production?
That said this may only be feasible for all those applications which are still in development or near completion. But what happens to all those applications which are already in production for a long time now, having complex mulit-tier architectures along with all those legacy systems in place. Is it really feasible to get the source code reviewed for all these applications, and if its done, is it really possible to remediate all those vulnerabilities found during source code review to meet PCI deadline. Probably not, for such a short period of time. Does that mean the only option left for these applications is the web application firewalls? If that's the case, can we assume that once put in place, web application firewalls are going to act as silver bullets for all these applications. I hope not! There are several open source and commercial web application firewalls available in the market and each one comes with its own benefits and shortcomings. I don't think that any one of these firewalls would be able to protect all these applications against all sorts of current and future attacks. WASC has developed a set of WAF evaluation criteria to assess the quality of various WAF solutions available in the market.
So what would be the best approach? I would say that web application firewalls may be used as first line of defense for all those applications which are already in production to meet PCI requrements. This way these applications will have enough time to get the source code reviewed and the developers would have enough time on their hands to resolve the issues discovered during the source code review. On the other hand, applications which are still in development or near completion may go through source code review to identify and eliminate as many vulnerabilities as possible at this early stage, and then a web application firewall may be put in place to protect these applications further in production environments.
Don’t you think its defense in depth for web application security? I think it is….
Posts
4 comments:
Hi Vishal
IMHO this is another example of PCI DSS unintentionally promoting the use of silver bullets. An application firewall can sometimes help stop the most common attacks, but frequently it's just another appliance for security solution vendors to sell.
As you imply, there's no substitute for building security in to the development process, and for developers to be given the time and resources to write more secure code.
Don't you just love the imperatives of capitalism ;-)
I completely agree with this. The best way to secure applications would be to integrate security early into the SDLC. We may then want to add WAFs on top just to mitigate risks arising from unintentional coding errors.
Actually, PCI requires security throughout the SDLC (This is most of what section 6 is about).
WAFs and or third party code review is there to catch the inevitable "we didn't implement against that' gaps. and bugs.
@ lyalc:
I totally agree with you, and as you said, requirement 6.6 is about making sure that all other steps have been followed and to catch some unthoughtful bugs and errors. I am actually trying to say that both source code review and WAF would complement each other and we cannot replace one for the other.
Moreover I would say that we can put a WAF to better use by using it as an analysis tool rather than just using it as a protection mechanism. This would help us to understand the attacks faced by an application and we can use this information to improve the security of an application to the next level.
Post a Comment