A panelist, Kennet Westby from Coalfire Systems, indicated that Requirement 6.6 should not be an either-or option, since code review is an integral part of the SDLC. This time, I made it up to the microphone before time expired, and asked if the council had considered making code review the sole requirement but allowing a WAF to be used as a compensating control. In my view, this seemed more closely aligned with the intent of PCI as a security standard. The best practice is incorporating code review into the development process, whereas a WAF is essentially just a band-aid, not a replacement for code review. Granted, a SDLC cannot be put in place overnight, and a WAF can be effective as quick fix — there is better than none — but it certainly shouldn’t be an equivalent way to satisfy the requirement. Dave Wichers responded to my question, agreeing that code review was the “right way,” but added that a code review is not a viable option for many companies, thus they had to offer WAF as an alternative. Time ran out, so I’m still not clear exactly what he meant by that, and I need to follow up to get more clarity on his comment. Still, I saw some heads nodding and received some positive feedback from a couple people in the audience, so I guess I’m not the only one thinking along these lines.

The WAF discussion is interesting since staying on the topic of benchmarking for a moment. It was felt that the percentage of attacks these are actually stopping? Is it 80% or 20%? I have not ever seen any fixed data here,though anecdotally, the reviews certainly have not been glowing. This is a large of an undiscovered as FP/FN rates of code analysis tools. If benchmark scrutiny is going to hold up automated code analysis, then WAFs and manual assessments need to be as well.

On the whole, I found that the sessions were probably a little bit on the short side. At each session I attended, there was never enough time at the end to address audience questions. Many of the audience members were from companies working toward PCI compliance.So the questions tended to revolve around interpretation of the PCI language and intent (Is such-and-such considered a compensating control? What is the meaning of you by connected entities?), leaving less time for discussion of the technical merits of the security requirements.


  • Common Sense Best Method To Stop Identity Theft - Many experts agree that there is no sure way to stop identity theft but there are steps that can be taken to reduce the chances of it happening. While many criminals have turned to the electronic media as the easiest way to obtain personal information, many of the methods used to stop identity theft before ...
     
  • Common Sense Best Method To Stop Identity Theft - Many experts agree that there is no sure way to stop identity theft but there are steps that can be taken to reduce the chances of it happening. While many criminals have turned to the electronic media as the easiest way to obtain personal information, many of the methods used to stop identity theft before ...
     
  • Preventing Identity Fraud Is The Key - When it comes down to your financial future, there is nothing more important then protecting yourself from identity fraud. This is because is it your job and your job only to prevent identity theft in order to make sure that everything goes smoothly for you in the future. Identity fraud is nothing to take lightly ...
     

Google