The Tangled Web of PCI Compliance - Page 2

Page 2 of 2 Money Talks with PCI Compliance

Experts see cost driving merchants to the Web firewall option.

"If someone was to buy one of our moderate-sized Web applications it would cost them $7,500," said Jim Libersky, vice president of sales and marketing at The Barrier Group. The firm offers an Intelligent Threat Management appliance that includes a Web application firewall, anti-spam, anti-virus, Web content filtering and more than 20 other technologies. "How many lines of code would it take to chew up that amount of money?"

Most companies would select the Web firewall application "because it's cheaper and faster than code review, and they ignore the fact that it doesn't protect them against the majority of security vulnerabilities, especially the most dangerous ones, which are in the application layer," said Ed Adams, president and CEO of Security Innovation, which conducts code reviews for clients.

The result: "I guarantee you'll see more TJX's, and that will continue until CIOs get it," Adams said. The TJX refers to the department store chain that lost hundreds of millions of dollars in legal fees, a reimbursement and other payments after hackers stole about 47.5 million records over a period of 18 months between 2005 and 2006.

Code Review vs. Firewalls

You can't really compare the protection offered by a Web application firewall to that from having a code review; each has its merits.

"Web application firewalls don't protect you against what happened to TJX," growled Adams. "People forget that PCI compliance doesn't equate to security, and 99 percent of organizations will only do the bare minimum that's required to pass the audit because that's all they're held accountable to."

He recommends getting a source code review from Security Innovation or other players in the field, such as Cigital, Deloitte & Touche, VeriSign(VRSN) and CyberTrust because "a code review is a more thorough analysis and improves the fidelity of the application before it gets released, so you're hardening the application itself, whereas a Web application firewall is just a filter and, if you have security vulnerabilities in your software, the Web application firewall doesn't do anything at all."

Libersky disagreed: "Redoing code is a very long and costly proposition because you have so many legacies and so many security practices going back so many years, and then you have to reintegrate everything to make sure it works," he said. Also, hardened code is static, and cannot cope with the constantly changing attacks on the Web. "There's always going to be a methodology somebody's going to find to launch an attack," he added. "You have to be able to find solutions and react very quickly and accurately, and application firewalls encompass that concept."

There are other reasons firewalls will be the more desired solution: "It's probably pretty realistic to see Web firewall installation because most companies buy software off the shelf," Rick Caccia, vice president of product marketing at security information and event management products ArcSight(ARST) said. "Security issues happen when you wire things together, so in many cases it's not possible to come from the code inspection side; and attacks change on an ongoing basis, so people want something in place that understands the ongoing nature of attacks and a Web appliance firewall is the answer."

The best protection is to have an end-to-end solution combining source code reviews, vulnerability scans and Web application firewalls. "Source code is like scouts in the NFL; they say 'based on what we see here, how many pushups this guy can do, how fast he can run, it looks like this guy has potential, he'll do well in the game," Barnett said.

"Vulnerability scans are like intrasquad scrimmages – you're playing against people on your own team and don't know what the other side, the bad guys are going to do. The Web application firewall is like a real NFL game; it's what really matters. But they're all complementary."

His recommendations for best practices: "Do source code fixes for new custom applications; do vulnerability scanning both in quality assurance (QA) before production, and then in production; then use a Web application firewall, both in production and development."