Jun 30 2008
Today’s the day. According to Payment Card Industry Data Security Standards (PCI-DSS) requirement 6.6, today is the last day having code review and/or a web application firewall (WAF) is optional. If you’re a merchant accepting credit cards online, you have to meet this requirement for any and all assessments from July 1, 2008 on.
The good news is that the PCI Security Standards Council has provided a clarification on what exactly constitutes code review and what a code review and the exact requirements for a WAF. Code review does not have to be done by a third-party specializing in code review, but it does have to meet at least one of the following points:
1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment
It does mean you have to have someone who’s actually got training in code review viewing the output of your tools and processes; it does not mean you can have your security manager running Nikto or some other web scanner against your site and call it good. He or she actually has to have the training and experience to make use of the output of the tool and the process. If you don’t already have some sort of code review built into your processes, this will definitely be the more painful and time consuming way to meet with the 6.6 requirements. But once you have it in place, it’s also the more secure option.
Installing a WAF is the easier, quicker way to meet with 6.6. You install another piece of hardware in your network, fire it up, and you’re done. Or almost; you still have to have someone who knows how to configure the web application firewall to work with your environment, which is not always an easy task. Out of the box most WAF’s will go far towards protecting your site from cross-site scripting (XSS) and SQL injection attacks, but they’re not infallible. Tuning a WAF to meet your site’s specific needs can be a full time job by itself and it means working with the application team to understand exactly what can and cannot be blocked to keep your site secure.
Rich and I often discuss PCI on the podcast and Rich is of the opinion that PCI is just another set of requirements that don’t really make the Internet more secure. I think he’s wrong and that requirement 6.6 is one of many things in PCI that proves my point. Web Application Firewalls and code review aren’t the solution to all of the problems web sites face on the Internet, but it goes a hell of a long way towards establishing a baseline of security for companies to meet with. Yes, attacks are going to continue and sites are going to be compromised; but by mandating code review and/or web application firewalls, we go a long way towards removing the low hanging fruit that is XSS, SQL injection and poor coding practices. It may just mean attackers have to find smaller merchants and other sites that don’t have to meet requirement 6.6 (yet), but that will still be an improvement.
If you’re a PCI Level 1 merchant (taking more than 6 million Visa/MasterCard transactions annually), this is the last day you have any excuse not to be doing code review or putting a WAF in place. And if your a Level 2 or lower merchant, you’d better start thinking about this requirement as well, since you’re responsible for the exact same requirements. The main difference is Level 2 and lower merchants don’t have to have an annual on-site assessment. But rumor has it that might be changing in the not to distant future. No, that’s not insider information, since I haven’t read any more of the PCI 1.2 requirements than any one else, but it is the rumor I’ve been hearing for a while.
As of tomorrow, the bar for securing your web site is being raised one more notch. You have to meet with requirement 6.6 to be PCI compliant. The alternatives are being fined, having your per transaction fees raised or possibly even lose your ability to take credit card transactions. No one wants to deal with any of those possibilities, so I foresee a lot of web application firewalls being purchased in the near future. After all, it’s easier to put in another piece of hardware than to change your whole application development process to include code review. But the smart merchants are going to be doing both.