PCI-DSS Requirement 6.6

Jun 25, 2008

For those of you developing or maintaining Ecommerce applications, the PCI-DSS 6.6 requirement is coming due this Monday, June 30th. Your merchant account agreement requires that you follow the PCI standard. You may also be in a state that legally binds you to follow the standard. So you could disregard this, but at your own peril. The requirement simply states:

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications.

The PCI Security Standards Council also released a supporting document to further explain the 6.6 requirements at https://www.pcisecuritystandards.org/tech/supporting_documents.htm

I am not going to rehash the requirement here. There are plenty of people talking about 6.6 and it is fairly simple to understand. Frankly, I think the supporting document water the requirement down a bit, but the intent is very clear. You should have an infrastructure or policy in place that prevents the more common web application threats like SQL injection and cross-site scripting.

If you have the budget, I highly encourage implementing a web application firewall (WAF). A WAF is not the same as a regular firewall. Typically, network firewalls operate in the Network and Transport layers of the OSI model. They block things like IP addresses, ports and protocols. What runs over the open ports and addresses are not filter or blocked. That is the job for a WAF which operates at the Application layer. For example, if a hacker is sending a XSS attack over the wire, the WAF should detect, block and log the attempt.

Now you are probably going to say that your code is perfect and blocks SQL injection and XSS attacks. You use cfqueryparam and/or my Portcullis XSS filter. You properly catch errors, etc. But take a moment to think about what is happening here. If an attack is directed to your application server, it has to go through a network firewall, network switches and even your web server before it even touches the application server (ColdFusion). If it can get through your coding, the hacker has really nothing else to worry about. Would it not be better to also have a WAF further up the chain to block and log attacks? This will add a critical layer to your security and free up your server from having to handle and catch bogus requests. Even if an attack were to get through the WAF then your proper coding should provide a further catch. This makes launching a successful attack even harder. Also, as a further note, it is simply not enough to prevent these attacks with better coding. You should be logging them and also notified as they happen so you can closely monitor the activity. WAFs can do this for you.

So how do you get a WAF? There are several hardware solutions out there. You can also setup a reverse proxy with a Linux Apache installation that uses the mod_security module. For IIS users, Port80 Software has a software solution for the Windows Server environment.

As a mention in my PCI-DSS presentations, this standard is not only good for people handling credit card information but is also a solid standard for any organization trying to properly secure their applications.

Comments

Write your comment



(it will not be displayed)