Are you in violation?
It is no secret that web applications have become an easy
target for security attacks. With customer data being nearly
impossible to secure and easy to hack, the Payment Card Industry
(PCI) took steps to protect customers by including web application
security requirements in its Data Security Standard (DSS).
All organizations that process, store or transmit credit,
debit or other payment card information must be in compliance
with Requirement 6.6 of the PCI DSS. Requirement 6.6 states
that all web-facing applications must be protected by having
all custom code reviewed for common vulnerabilities by a company
that specializes in application security or by installing an
application-layer firewall in front of the applications.
Weighing Requirement 6.6 Compliance Options
Most organizations view code reviews and vulnerability scans
as sufficient for Requirement 6.6 compliance. When comparing
the two options, however, it is evident why more organizations
are using web application firewalls.
Vulnerability Scans and Code Reviews:
|
VS.
|
Web Application Firewalls:
|
| Looks at one web application
at a single point in time. |
Provides real-time,
continuous security for all protected web applications. |
| Must be repeated for
each application change. |
Profiles each application’s
acceptable behavior and automatically learns changes. |
| May not cover every
line of code. |
Secures the entire
web application. |
| Can result in inconsistent
findings due to vendor interpretations. |
Provides factual information
on vulnerabilities. |
| Does not fix vulnerabilities
that are found. |
Serves as a “virtual
patch” that protects each application’s vulnerabilities. |
| Is expensive. |
Offers immediate ROI. |
|
Breach
PCI Compliance Solutions