In short – Yes.
Organizations that are in the process of determining whether or not they should install an application firewall in front of their web facing applications, OR do a code review should make a best effort to do both.
Why? Because, web application firewalls, while very useful, and generally very thorough are designed to perform a limited number of protection tasks, that are typically based on existing, deployed web technologies.
Web technologies are evolving, and more and more custom applications exist. For instance, CGI based vulnerabilities popped up as soon as CGI came into existence. Developers simply did not understand the threats associated with query string vulnerabilities, safe passage of variables, or safe backend system call execution. Then of course, php and asp represented new threats such as SQL injection, file path inclusion, XSS, etc.
Every time there has been a shift in web technology, a new threat landscape has emerged. More and more, open-source server-side web-apps are showing up in payment environments. Mambo CMS is a perfect example. It provides a great platform for easy deployment of nearly any site architecture. It’s also been compromised many times, and its been deployed as a front end for applications which process payments.
When you weigh the option that DSS provides of either source code review or web application firewall, you should understand that you’re going to obtain vastly different results from those two methods.
Installing a web application firewall will thwart the 99.9% of attacks that happen as a result of publicly disclosed vulnerabilities that are either being executed by a bot or an attacker with a luke warm degree of motivation.
A source code review will afford you visibility into the security of the application from otherwise unknown attack vectors and hopefully give you insight into not only vulnerabilities that exist as a result of insecure coding techniques, but along with a solid educational experience, the peace of mind that your developers are learning how to avoid common mistakes after you’ve received the results of the review.
Also, less vulnerabilities in the protected zone means less possibility of internal compromise. Don't forget that the majority of compromises happen from within.
So again, the answer to the question is yes. Install a web application firewall if your organization can afford the technology. Perform a source code review of both 3rd party apps, and –especially- in-house developed code to provide a second layer of protection and valuable feedback to your development team.
This will allow you to use PCI as a valuable tool, instead of just one more exercise in compliance.
No comments:
Post a Comment