Most enterprises use the Internet to (1) facilitate information sharing with customers, vendors, and other partners and (2) provide self-service transaction processing applications to reduce commerce friction and transaction costs. These web-based applications provide a very attractive attack surface to cyber predators. In response, organizations like OWASP, SANS, and the Payment Card Industry Security Standards Council have developed recommendations of varying detail and effectiveness to mitigate the risks associated with these web applications.
The most impactful web application security regulatory organization by far is the Payment Card Industry Security Standards Council. It was established in 2006 by founding members American Express, Discover, JCB International, Mastercard, and Visa. The credit card regulations they promulgate (commonly referred to as PCI DSS) must be met or the enterprise risks losing its ability to take payments via these credit card brands.
PCI DSS 6.6 states that for public-facing web applications the enterprise must EITHER perform an annual vulnerability security assessment OR deploy a web application firewall. However, when 6.6 is coupled with other requirements of Requirement 6 (Develop and maintain secure systems and applications), the vulnerability assessment is the “must have” and the WAF becomes unnecessary to meet PCI DSS. This is most unfortunate.
In theory, it ought to be possible to have a rigorous Security Development Life Cycle (SDLC) such that a WAF would not be necessary. But in practice it does not happen. Application development resources are always in short supply and must be divided between fixing deployed systems and developing new ones. And since the Application Vulnerability Assessment need only be performed once per year, you can be PCI DSS compliant while having unpatched vulnerabilities.
Therefore rather than PCI DSS being the end goal of information security, Cymbel sees it as the end of the beginning. In other words, PCI DSS is a floor, not a ceiling.
Cymbel, sees Web Application Firewalls as a required control in addition to the SDLC for web application security for the following reasons:
- Protects more valuable assets than credit cards – As expensive as a credit card breach can be to remediate, in general, there have been no long term financial consequences (stock price) to enterprises that have experienced credit card breaches as long as they make a good faith effort to remediate the breach and to meet PCI DSS requirements. However, the range and value of an organization’s intellectual property is far greater than credit card information. Losing trade secrets to a competitor is much more likely to have long term financial consequences.
- Provides immediate vulnerability mitigation – It is simply impossible to have vulnerability-free applications. But even when vulnerabilities are discovered there may be reasons that immediate patching is not feasible. What enterprise has not faced the choice, due to resource constraints, of fixing vulnerabilities in a deployed application or meeting a business-defined deadline on a new application?
- Supports 3rd party applications which you cannot control – Not all web-facing applications are home grown. For example, are you providing external access to SharePoint?
If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.