> Interesting approach. Curious to know if this will satisfy a > PCI auditor as a compensating control (section 6)
I think that's presently untested and therefore likely unknown. I would guess it depends on the auditor's perspective. On one had, having a separate WAF appliance provides you with separation of duties so it's harder for a dev team to configure the WAF so it accepts everything (much like I've seem some folks use a regex of ".*" for things in Struts validators that they haven't gotten around to thinking more deeply about). On the other hand, the dev team is in a much better position to truly customize the rule set to use an actual whitelist approach. The mod_security WAF approach generally leads to a signature-based, black-list approach. So I can see pros and cons to each. But for a clueful dev team, this could be a big asset if they are willing to take the time to do things right. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________