Security Basics mailing list archives

Re: PCI: DSS

From: Jason <securitux () gmail com>
Date: Fri, 23 May 2008 15:11:30 -0400

Hey Pete. You don't need a WAF if you have your custom code reviewed
by a 3rd party according to the DSS. It's an either / or situation.
That being said I am attending a webinar next week which states that
according to research the two are not interchangeable however I think
that is just a marketing / sales tactic more than anything. We'll see.

What I also know is that web application scanners which scan for
vulnerabilities in the application can also be used in lieu of a code
review. Although the code review is more thorough (and I highly
recommend it be made part of your SDLC), they are interchangeable. At
least for now.

I will also urge you to exercise caution when dealing with product
vendors and PCI. PCI can be loosely interpreted in their favor and you
may get convinced to buy something you don't need. Make sure your PCI
needs are run past an actual QSA or the PCI council before you make
any expensive decisions.

Thanks

-J


On 5/23/08, Hill, Pete <Pete.Hill () sit-up tv> wrote:

Hi all,

Can anyone confirm for me what sort of workarounds there are concerning
PCI:DSS and application layer firewalls?

Requirement 6.6 of the standard states this:

6.6 Ensure that all web-facing applications are protected against known
attacks by applying either of
the following methods:
* Having all custom application code reviewed for common vulnerabilities
by an organization
that specializes in application security
* Installing an application layer firewall in front of web-facing
applications.
Note: This method is considered a best practice until June 30, 2008,
after which it becomes a
requirement.

We already have our custom code reviewed, but Im wondering if I
absolutely must sort out an application layer firewall or if there is a
workaround that would be acceptable for a level 1 merchant.

If there are any knowledgeable auditors (qsa etc) out there I'd really
appreciate your help on this one.

Many thanks
Pete

A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites
where personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send
e-mails that ask for confidential, personal security information or details regarding your account status.

The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.

The contents of this message and all attachments have been sent in confidence for the attention of the addressee
only. If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise
the sender immediately of the error in transmission.

"sit-up ltd, registered in England No: 03877786.
Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."

Current thread:

RE: DSS, (continued)
- RE: DSS Nick Vaernhoej (May 23)
  - Re: DSS Adriel Desautels (May 23)
    - RE: DSS Nick Vaernhoej (May 23)
    - Re: DSS Adriel Desautels (May 23)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
    - RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)
- RE: DSS Bassill, Peter (May 23)
- Re: PCI: DSS Jason (May 23)
- RE: DSS Craig Wright (May 24)
- RE: DSS Craig Wright (May 24)
- RE: PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Sheldon Malm (May 23)