When I first read PCI DSS v1.1 requirement 6.6 caught my eye for two reasons. I could see the potential security benefits but also the extra work I would have to do!
Requirement 6.6 is shown below:
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
Wow, all custom code externally reviewed - time to save up the pennies to pay for that! A lot of the community were scratching their heads trying to figure out whether this actually means having every line of custom code reviewed, even for a relatively small company we were a bit worried about the cost. Fortunately the PCI Council released a clarification document earlier this year detailing that a company could meet 6.6 by one of the following approaches:
"The application code review option does not necessarily require a manual review of source code.
Keeping in mind that the objective of Requirement 6.6 is to prevent exploitation of common vulnerabilities (such as those listed in Requirement 6.5), several possible solutions may be considered.
They are dynamic and pro-active, requiring the specific initiation of a manual or automated process. Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum level of protection against common web application threats:
1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools"
We felt that our current approach towards secure application development and code reviews met the intent of the first option in requirement 6.6. We have had an external company who are specialist in auditing and application security to review (and produce a report on) our process.
I would love to know what kind of approach others have taken to satisfy requirement 6.6.
Remember folks, it becomes mandatory in 15 days so act fast!
Posts
An idea to help secure U.S. cybersecurity…
9 years ago
No comments:
Post a Comment