> Interesting approach. Curious to know if this will satisfy a
> PCI auditor as a compensating control (section 6)
I think that's presently untested and therefore likely unknown.
I would guess it depends on the auditor's perspective. On one
had, having a separate WAF appliance provides you with separation
of duties so it's harder for a dev team to configure the WAF so
it accepts everything (much like I've seem some folks use a regex
of ".*" for things in Struts validators that they haven't gotten
around to thinking more deeply about). On the other hand, the
dev team is in a much better position to truly customize the rule
set to use an actual whitelist approach. The mod_security WAF
approach generally leads to a signature-based, black-list approach.
So I can see pros and cons to each. But for a clueful dev team,
this could be a big asset if they are willing to take the time to
do things right.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
kevin.w...@qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
that have had a prior exposure to BASIC: as potential programmers
they are mentally mutilated beyond hope of regeneration"
- Edsger Dijkstra, How do we tell truths that matter?
http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
