Source code reviews or web application firewalls?

Source code reviews or web application firewalls?

Tags:   application security  firewall  source code review

By Michael Cobb | Jun 29, 2009

Before you decide whether a source code review or Web application firewalls best meet your PCI DSS compliance needs, I recommend taking time to fully understand PCI's Web application requirements, including the clarification documents, and consider how the approved options mesh with your architecture and resources. It is now clear that enterprises have multiple paths to compliance and, if executed properly, any of the options will not only help achieve compliance, but also improve Web application security.

Of course, there is no one-size-fits-all approach to application security. Unless you are in the fortunate position to be able to both conduct code reviews and run a WAF, it looks like the choice may simply come down to people. Does the enterprise have staff that can:

  • Configure and maintain an application-layer firewall?
  • Perform a code review?
  • Use a third-party vulnerability detection tool and fix any problems the review uncovers?

Of course, the decision could also depend upon architecture considerations and how well a WAF would work with existing systems and devices. A factor to consider, particularly for those leaning towards a third-party code review, is how comfortable the organization may be with the status of its code. Payment card applications develop over time and may include some legacy code of unknown origin and unclear purpose. Security staff may not want to remove legacy code and run the risk of breaking a mission-critical application. Placing a firewall in front of an application might be less costly, or less disruptive, than rewriting it in light of a code review.

Another approach is to use threat modeling to identify and evaluate the risks to an application. Take the top three critical risks and decide how best to remediate them: code review, vulnerability assessment or WAF. Be aware, though, that implementing a WAF will not eliminate the need for you to have a secure software development process in place (Requirement 6.3)! Application vulnerability assessments and code reviews both strengthen the development and quality assurance cycle.

Many of these choices are likely to be too costly for the small e-commerce site, so my recommendation here would be to outsource the payments to a third-party payment provider, which affectively outsources all of the expensive security requirements, including Web security, as well as the actual PCI DSS compliance. As long as you don't handle any of the card payments anywhere else, you don't need to be PCI DSS compliant.

 
 
12

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Today's top security priorities
Attacks based on vulnerabilities in websites are skyrocketing, and not many solutions are available to protect organizations against them. How do you deal with this and other key security issues today?
Taking a holistic business-centric approach to security
Today’s CIOs face multiple challenges, including the need to innovate in an extremely competitive business climate, address highly dynamic regulatory and compliance challenges, speed ROI to counter shrinking IT budgets, and secure their organizations against a wide barrage of sophisticated threats.
 
 
 
UTM product offers Logansport Savings Bank superior protection
Astaro Security Gateway’s IPS was able to block attacks that other intrusion prevention systems (IPS) missed at Logansport Savings Bank.
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
 
 
 

Recent popular content

Most Read
Federal government may step in to ensure privacy protection
UTM product offers Logansport Savings Bank superior protection
Top 10 tips for protecting sensitive data from malicious insiders
Healthcare personnel insist on social networking access
Release of Verizon's data breach investigations reports unifies fight against cybercrime

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS