If your business handles, transmits or stores credit card data, you have undoubtedly heard of the Payment Card Industry (PCI) Security Standards Council. It is not easy or inexpensive to comply with PCI standards but given the high cost of responding to a security breach, compliance is well worth the effort.
In view of the high-profile breaches that have taken place recently, the PCI standard has been tightened effective June 30, 2008. The use of a Web Application Firewall is one of only two options available to you and it may be the best choice.
PCI is a wide-ranging standard. It is governed by twelve requirements covering all aspects of data security. The standard covers firewalls, user IDs and passwords, data encryption, anti-virus software, access restrictions and network monitoring.
Section 6.6 of the PCI standard discusses web applications and how to protect them. This section currently provides a set of recommendations but as of June 30, they become requirements.
Simply stated, web-applications must be protected by one of two methods:
1) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security or,
2) Installing an application layer firewall in front of web-facing applications.
As defined by PCI, "an organization that specializes in application security" can be an internal or external group. In either case, the group must be properly trained, certified and equipped. If it is internal, the group's management must be separate from the management of the application being tested.
In either case, having an independent security group evaluate your PCI compliance makes sense but be aware that this is not a one-time review. Each time your application changes, another review will be needed to ensure continued compliance.
In the rapidly changing world of web applications, the need for security reviews can be disruptive and costly. You will need to provide source code and documentation for the application. Your software development team will need to be on call to answer questions and assist as needed.
If the review mandates changes to the application, additional tests and reviews will be required. The entire review process is not an experience that many organizations will find rewarding.
Installing an application layer firewall, often called a Web-Application Firewall (WAF), frees you from the need to conduct ongoing inspections. The WAF inspects requests of the application and the responses it provides. If anything looks suspicious, the data stream can be blocked.
A WAF can be either a standalone network appliance or a software package installed on your web server. It provides an added layer of protection between the software application and its users. The WAF examines application-level data streams ensuring that the data traffic is legitimate.
You may be thinking that you already have a network firewall and an intrusion detection/prevention system so why do you need an application firewall?
Intruders attempting to break into your network have a wide variety of options. At the lowest level, networks use protocols like TCP/IP, UDP, FTP and HTTP to send data packets. There are many ways intruders can scan, intercept and spoof these packets.
Network firewalls and IDS/IPS devices analyze data packets to ensure their integrity and detect tampering. These defensive mechanisms have become so sophisticated that criminals have moved up the protocol stack to more advanced intrusion techniques.
Software applications use higher-level languages and interfaces to communicate. SOAP, HTML and XML are commonly used when applications exchange data. These data streams can also be intercepted and re-routed to launch a variety of attacks. Application firewalls are programmed to prevent such attacks.
WAFs can be configured and trained to detect and protect the specific behaviors of an application. Some can even learn how an application operates and be on the lookout for abnormal behavior.
There are a few pitfalls you should consider before committing to a WAF. The technology is not as mature as network firewalls or anti-virus software. The installation, management and support issues will be more complex as a result.
WAFs take up CPU time and network bandwidth. This could be a problem on a high-volume website. You may have to do some load-balancing. Also, consider using the WAF only for the checkout service where credit card numbers are entered rather than the entire website.
Initial setup and configuration of a WAF can be time-consuming. Major changes to the application will require new WAF settings. If your application is evolving rapidly, be sure to take WAF programming into consideration when planning rollouts.
Testing and debugging enhancements to your application may become more complex. As the application evolves, WAF configuration will also need to evolve. When a new feature does not work, someone will have to determine if it is the new code or the WAF.
Do not develop a false sense of security. If your application’s business logic is flawed, the WAF will not protect you. For example, if a bug results in a shopper seeing the credit card number of another shopper, the WAF will not catch the problem as this behavior will appear to be normal.
While not a miracle cure, the web-application firewall offers enhanced protection at a reasonable cost. Consider that a major security breach could easily cost your company millions of dollars. The cost of an additional security layer may be well worth the investment.
Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO. He helps companies avoid the subtle mistakes that cause missed deadlines, lost opportunities and fragile results. He shows them agile approaches that slash risk and cut development time so they get to market 25-50% faster. He helps them carry that momentum into the sales cycle using white papers and case studies that accelerate the selling process.
This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in May 2008.
To learn more about how DAMICON can help your business, please take a look at our service programs.
This column appears monthly in the IndUS Business Journal.