Passing PCI Compliance Section 6.6: Code Reviews and Application Firewalls

WWHHIITTEE PPAAPPEERR
Passing PCI Compliance
Section 6.6Code Reviews and Application Firewalls
Taylor McKinleyProduct Marketing ManagerFortify
Passing PCI Compliance Section 6.6 WWW.FORTIFY.COM 1WHITE PAPER
Passing PCI Compliance Section 6.6Code Reviews and Application Firewalls
Table of Contents
3 Current Overview of PCI and Section 6.64 Learning from 2006/2007 Failures5 Use of Multiple Techniques Is the Best Approach6 If You Can Choose Only a Single Approach®9 Overview of Fortify 36010 How Fortify 360 Can Help Pass Section 6.6 and Other Sections14 Conclusion14 References
Executive Summary
If your company stores or processes credit card information, you must be able to demonstrate compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). These standards, created by representatives of the credit card companies, include requirements for security management, policies, procedures, network architecture, design, and other critical protective measures. They also include one very prescriptive requirement that goes into effect on June 30, 2008. Section 6.6 mandates that organizations secure all Web applications by conducting a code review or installing an application layer firewall. To date, companies have had a very difficult time passing the other parts of Section 6. They've also experienced a rising number of data breaches. Unless companies take 6.6 seriously, PCI compliance failure rates, and data breaches, will continue to grow. This white paper provides an overview of how best to pass Section 6.6, shares feedback from failed audits in 2006 and 2007, outlines the pros and cons of fixing the code versus installing an application firewall, and introduces Fortify's Business Software Assurance ®solution, Fortify 360, which delivers source code analysis, Web application testing, and application firewall technology.
Passing PCI Compliance Section 6.6 WWW.FORTIFY.COM 2WHITE PAPER
With the June Current Overview of PCI and Section 6.630, 2008, deadline In 2004, the major credit card companies developed the first integrated set of IT security passed, companies standards for all online merchants. These standards were revised in 2006, and the PCI Council, are quickly trying to an independent entity, was formed to manage and enforce these standards. The complete address Section 6.6. standards can be read at: https://www.pcisecuritystandards.org/tech/index.htmIn the newest revision (version 1.1), the PCI Council made several minor edits and added a new initiative. This new initiative - Section 6.6 - started as a best practice and became mandatory on June 30, 2008. This section reads:"Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:. Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security 1. Installing an application layer firewall in front of web-facing applications" On April 22, 2008, the PCI Council released a supplement document to clarify this section. The key points were:. Automated source code analysis tools can be used to meet this requirement. Automated Web application scanning tools can be used to meet this requirement. If either of these tools are used, or an application firewall is deployed, they must be configured, set up, and managed appropriatelyWith the June 30, 2008, deadline passed, companies are quickly trying to address Section 6.6.
Passing PCI Compliance Section 6.6 WWW.FORTIFY.COM 3WHITE PAPER
Learning from 2006/2007 Failures
Over the last two years, many companies have failed their PCI audits. A careful look back will Many companies are reveal that Section 6?-?even without 6.6 being mandatory?-?proved to be one of the most failing their audits challenging requirements. This includes mandates such as "developing all Web applications and are getting based on secure coding guidelines." The following statistics demonstrate how difficult this hacked because they section has become.over rely on one . 56% percent of organizations fail Section 6: Develop and maintain secure systems and approach, namely applications. Web application -?VeriSign
scanning. This is one . Poorly coded Web applications leading to SQL injection vulnerabilities is one of the top five of the key reas... [download for more]