PCI 6.6 mandatory compliance date looming

When I first read PCI DSS v1.1 requirement 6.6 caught my eye for two reasons. I could see the potential security benefits but also the extra work I would have to do!

Requirement 6.6 is shown below:

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Wow, all custom code externally reviewed - time to save up the pennies to pay for that! A lot of the community were scratching their heads trying to figure out whether this actually means having every line of custom code reviewed, even for a relatively small company we were a bit worried about the cost. Fortunately the PCI Council released a clarification document earlier this year detailing that a company could meet 6.6 by one of the following approaches:

"The application code review option does not necessarily require a manual review of source code.

Keeping in mind that the objective of Requirement 6.6 is to prevent exploitation of common vulnerabilities (such as those listed in Requirement 6.5), several possible solutions may be considered.

They are dynamic and pro-active, requiring the specific initiation of a manual or automated process. Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum level of protection against common web application threats:

1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools"

We felt that our current approach towards secure application development and code reviews met the intent of the first option in requirement 6.6. We have had an external company who are specialist in auditing and application security to review (and produce a report on) our process.

I would love to know what kind of approach others have taken to satisfy requirement 6.6.

Remember folks, it becomes mandatory in 15 days so act fast!

My public security talks

This year has been good for me so far for public talking. I have been lucky enough to be invited to speak at the Irish Web Technology Conference (IWTC 2008) and an OWASP Ireland Chapter Meeting.

I had a lot of fun doing these talks, IWTC was based in the Cineworld cinema in Dublin. It was a very strange feeling to actually be presenting my work on the big cinema screen where only weeks earlier I was watching Shrek!

The IWTC talk was focused on a high level discussion of the current threats application developers need to protect against in 2008. I also discussed how to write code to protect against these threats. I finished off the talk with an explanation of the application security processes I have implemented at Realex Payments.

The talk can be viewed here (Google Docs has broke some of it, contact me for the original):



In April Eoin Keary (OWASP Ireland Chapter Lead) invited me to talk about Application Security and the PCI DSS. The talk focused on how PCI DSS would affect an application developer along with an overall opinion on PCI DSS and how it applies to application security. I presented this talk at Ernst and Young in Dublin.

The talk can be viewed here:



All feedback, good or bad, is welcome!