Web firewalls trumping other options as PCI deadline nears

Advantage over appsec approach mainly one of convenience

Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts.

The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS). Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications. The controls have been a recommended best practice for nearly two years now, but starting June 30, they will become a mandatory requirement under PCI -- especially for so-called Level 1 companies that handle more than 6 million payment card transactions a year.

Under the requirement (PCI Section 6.6), merchants can choose to implement a specialized firewall to protect their Web applications, or to perform an automated or manual application code review and fix any flaws found. Companies also have the option of performing either a manual or an automated vulnerability assessment scan of their Web application environment, fixing any problems that are discovered during that process.

The 6.6 requirement is designed to address growing concerns about vulnerable Web applications being exploited by malicious attackers to compromise payment data. The controls are supposed to protect Web applications from common threats like SQL Injection attacks, buffer overflows and cross-site scripting vulnerabilities.

As with almost every other major PCI deadline so far, though, few companies are expected to be fully compliant with the PCI 6.6 requirement come June 30. But analysts say the companies that are compliant or heading in that direction appear to be favoring the Web firewall option.

For instance, excess-inventory retailer Overstock.com chose to install a Web application firewall from Breach Security Inc. rather than take any of the other options.

Going that route was considerably cheaper than doing an application code review, said Bear Terburg, manager of network engineering at Overstock.com.

"We deploy code every other week. The ongoing effort of doing code reviews would add another layer of costs," compared with a Web application firewall, Terburg said. Besides, he added, the company is already doing vulnerability scans, and adding Web application firewall technology provides another layer of protection.

Harvard Medical School has Web sites that process credit card information. The school is in the process of implementing a Web firewall technology from security vendor Third Brigade to deal with online security threats.

The tool was "much easier" to implement that any of the other compliance options available under PCI 6.6, said John Halamka, CIO at Harvard Medical School. "The effort of going through application code every time a new vulnerability is discovered would be a far more daunting task." The firewall also makes ongoing recommendations for tuning or adding new signatures when a new vulnerability is discovered or to block out specific Web threats, he said.

Sushila Nair, a compliance expert at BT and a qualified assessor of PCI compliance, noted that her company is seeing a larger number of merchants implementing Web firewalls compared with the other PCI 6.6 options, for the same reasons articulated by IT managers such as Halamka and Terburg. "The questions I am getting are largely based on Web applications firewalls," she said.

But while the tools may be easier to deploy, Nair cautioned, companies need to be aware that many Web firewall products are still relatively new and untested. "Web firewalls have a much greater learning component" than many might assume, she said, noting that many companies still have problems with traditional intrusion-detection and intrusion-prevention systems, which are often less complex than Web firewalls.

"Retailers have to be very cognizant of their environment" when installing a Web firewall product, added Troy Leach, technical director of the PCI Security Standards Council, the independent body that is administering the standard on behalf of the major card brands.

"A Web application firewall out of the box may not be enough to meet 6.6," he said. He pointed to an information supplement (download PFD) that the council has made available, which describes all the attributes that a firewall is required to have in order for it to be considered PCI 6.6-compliant. Among other things, the firewalls need to be properly tuned to ensure that they permit legitimate traffic to get through while automatically blocking out the malicious data packets.

Some organizations, such as analyst firm Gartner Inc., have also recommended that companies not only install firewalls, but ensure that the underlying application code is reviewed as well. Without such a review, the firm maintains, the protection offered by Web firewalls is at best half-baked. In fact, Gartner has recommended that the tasks of scanning for and fixing vulnerabilities in Web applications should be given priority over the use of Web application firewalls, which should be used in addition to -- not instead of -- code review.

Bob Russo, general manager of the PCI Security Council, said that so far his organization does not have a clear indication of what companies are doing in terms of complying with PCI 6.6. "But certainly a layered response is something we'd prefer to see," he said, referring to the need for companies to consider not just implementing a firewall but, going forward, performing code reviews.

Join the discussion
Be the first to comment on this article. Our Commenting Policies