Hi Michael, > So, unfortunately for the WAF vendors, people can just use a static source > code analysis tool or a web application vulnerability scanner instead of > purchasing and deploying a WAF.
I don't know much about PCI 6.6 (yet), but don't the organizations have to mitigate the vulnerabilities found? (fix, bear or transfer risk, use a different security control..) Surely one just doesn't have to just run the tool... I am guessing that WAFs can mitigate a considerable amount of these vulnerabilities. Automated tools suck at finding business logic flaws which just so happens to be a WAF's supposed weakness, too. So to me it seems to be a perfect marriage: automated tools that can only find bugs and WAFs that can only fix bugs :-) Stephen On Tue, Jul 1, 2008 at 5:40 AM, Michael Gavin <[EMAIL PROTECTED]> wrote: > I too was wondering how much of a boon 6.6 would be to the WAF vendors > and/or the companies that do security code reviews. That is, until 4/22, > when the PCI SSC issued a press release > (https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf) announcing an > information supplement clarifying requirement 6.6 > (https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf). > > Clearly, completing security code reviews on all of those web applications > and/or protecting them with those expensive "magic pizza boxes," which, > last time that I checked (almost 2 years ago now) were running about $35K to > start, wasn't going to happen any time soon. > > The good news from that "information supplement" is that the PCI Security > Standards Council defined what they mean by an application firewall and > specified what it is supposed to do; the less good news is that they > specified 4 alternative methods for satisfying the code review option: 1. > manual security code review, 2. automated security code review, 3. manual > web application vulnerability scan, and 4. automated web application > vulnerability scan. While I think automation of code reviews and > vulnerability scans is essential, I also believe that none of the automated > tools are yet sufficient (completeness-wise) without some additional manual > effort. > > So, unfortunately for the WAF vendors, people can just use a static source > code analysis tool or a web application vulnerability scanner instead of > purchasing and deploying a WAF. > > Michael > >> Date: Mon, 30 Jun 2008 09:17:34 -0500 >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> CC: SC-L@securecoding.org >> Subject: Re: [SC-L] InternetNews Realtime IT News - Merchants Cope With >> PCI Compliance >> >> for the vast majority of the profession - slamming the magic pizza box in >> a rack >> is more preferable than talking to developers. in many cases the biggest >> barrier >> to getting better security in companies is the so-called information >> security >> group. it has very little to do with technology, its a people problem. >> >> -gp >> >> Kenneth Van Wyk wrote: >> > Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear >> > often.) >> > >> > http://www.internetnews.com/ec-news/article.php/3755916 >> > >> > In talking with my customers over the past several months, I always find >> > it interesting that the vast majority would sooner have root canal than >> > submit their source code to anyone for external review. I'm betting PCI >> > 6.6 has been a boon for the web application firewall (WAF) world. >> > >> > >> > Cheers, >> > >> > Ken >> > >> > ----- >> > Kenneth R. van Wyk >> > SC-L Moderator >> > KRvW Associates, LLC >> > http://www.KRvW.com >> > >> > >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Secure Coding mailing list (SC-L) SC-L@securecoding.org >> > List information, subscriptions, etc - >> > http://krvw.com/mailman/listinfo/sc-l >> > List charter available at - http://www.securecoding.org/list/charter.php >> > SC-L is hosted and moderated by KRvW Associates, LLC >> > (http://www.KRvW.com) >> > as a free, non-commercial service to the software security community. >> > _______________________________________________ >> _______________________________________________ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - >> http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> _______________________________________________ > > ________________________________ > The i'm Talkathon starts 6/24/08. For now, give amongst yourselves. Learn > More > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________