PCI Compliance to mandate Application Security Testing
Chris Eng has an excellent post on his observations from the PCI community meeting in Toronto. To quote from his blog entry at: http://www.veracode.com/blog/?p=63
Requirement 6.6 of the PCI-DSS becomes mandatory in June 2008 and requires all web-facing applications to either undergo a code review OR be protected by a web application firewall.
For all AppSec companies this could be good fodder, I except to see many ‘code-review on a budget’ offerings. But code review done right is time consuming and expensive, PCI should also provide the option of doing a webapp pen-test from a certified third party. This will help many small-mid size companies be PCI complaint while not hurting their budget.
No related posts.
I think the PCI “standard” is hardly a standard. As far as we’re concerned, there are two ways to look at #6.6
On the one hand, it gives a number of pen testing boutiques the opportunity to gain some business. But let’s step back and think of it for a moment - does it lend any additional security to the merchant apps than if they do not adhere to this requirement? In my opinion it does not.
For years now, security practitioners have tried to drive people away from thinking that security software is software security. PCI DSS #6.6 states exactly that. A web application firewall is an easy method to be compliant - since a code review is an expensive proposition, consumes significant time and the results need a lot more work to be presented meaningfully. Then, there is the question of manual versus automated analysis, and employing a certified vendor such as Cigital (shameless plug) to perform the task. My experience has indicated that even a somewhat meaningful code review (automated coupled with manual filtering and prioritization based on business risks) requires a framework, a basic acceptance of limitations and provisions, to be in place for the venture to succeed. Web application firewalls do have their own place in the scheme of things, but does the industry need any more band-aid solutions?
I think this requirement is self-defeating, in that the DSS purports to protect data - customer data as well as that of interest to the merchant or vendor - but gives the merchant an option of being compliant and yet not responsible for truly ensuring such security.
I have joined your rss feed and look forward to looking for additional of your good post. Also, I’ve shared your web web-site in my social networks!