Wednesday, July 02, 2008

Web App Firewalls the Rage for PCI 6.6 Compliance

The deadline for complying with Section 6.6 of the Payment Card Industry Data Security Standard (PCI DSS) passed this week. Before June 30, its two alternatives -- web application firewalls or code reviews -- were only a recommendation.

Making it an either-or proposition is sort of silly. It should really be based on a risk assessment and vulnerability testing of the web application. In some cases, securing the web application could be both alternatives together or, maybe, neither.

It seems that many companies are choosing the easier way out, rather than the right way out, and opting for web application firewalls.

Now, here's a nice companion guide from the PCI council itself, clarifying the two Section 6.6 alternatives. After reading this, it's not as scary as it seems. In some cases you can use web scanning tools, like AppScan and WebInspect, which are reasonably priced and easy to use.


Post a Comment

<< Home