The tangled web of PCI compliance

Fear and loathing will dominate when Best Practice 6.6 of the PCI Data Security Standard becomes a requirement June 30.

The regulation requires that merchants dealing with debit and credit cards tighten up their security by both conducting application code reviews and installing Web application firewalls.

It was put forth by the PCI Security Standards Council, which issues, maintains and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere.

However, while stating that "proper implementation of both options would provide the best multi-layered defense", the Council says, in essence, that some merchants won't be able to implement both. The solution: select the best option for their needs. This is leading to compliance problems.

"We're addressing the problem in two ways," said Bob Russo, general manager of the PCI Security Standards Council. "If you have custom application code, it needs to be reviewed for common vulnerabilities, either by yourself or by a company that does application code reviews by a standard like OWASP. The Open Web Application Security Project, OWASP, is a worldwide free and open community focused on improving the security of application software whose materials are available under an open source license.

For off-the-shelf software, "installing an application layer firewall in front of a Web facing app will work as well," Russo explained. "You need security in the application itself if you can do it but that's not necessarily the way you need to look at this; either way will suffice."

In essence, it's going to have to be a business decision. And which option merchants choose depends on how much money they have.

"Bigger merchants have more budget and can afford to do both; but when you get into Level 4 merchants, which Visa describes as "any merchant processing fewer than 20,000 Visa e-commerce transactions per year," margins tend to be thin. (By contrast, Level-1 merchants have more than 6 million transactions a year.) Level 4 merchants "don't have lots of staff," said Ryan Barnett, director of application security at Breach Security and an instructor at the training-focused SANS Institute. "They're forced to choose between the two options."

Money Talks with PCI Compliance

Experts see cost driving merchants to the Web firewall option.

"If someone was to buy one of our moderate-sized Web applications it would cost them $7,500," said Jim Libersky, vice president of sales and marketing at The Barrier Group. The firm offers an Intelligent Threat Management appliance that includes a Web application firewall, anti-spam, anti-virus, Web content filtering and more than 20 other technologies. "How many lines of code would it take to chew up that amount of money?"

Most companies would select the Web firewall application "because it's cheaper and faster than code review, and they ignore the fact that it doesn't protect them against the majority of security vulnerabilities, especially the most dangerous ones, which are in the application layer," said Ed Adams, president and CEO of Security Innovation, which conducts code reviews for clients.

The result: "I guarantee you'll see more TJX's, and that will continue until CIOs get it," Adams said. The TJX refers to the department store chain that lost hundreds of millions of dollars in legal fees, a reimbursement and other payments after hackers stole about 47.5 million records over a period of 18 months between 2005 and 2006.

Code Review vs. Firewalls

You can't really compare the protection offered by a Web application firewall to that from having a code review; each has its merits.

"Web application firewalls don't protect you against what happened to TJX," growled Adams. "People forget that PCI compliance doesn't equate to security, and 99 percent of organizations will only do the bare minimum that's required to pass the audit because that's all they're held accountable to."

He recommends getting a source code review from Security Innovation or other players in the field, such as Cigital, Deloitte & Touche, VeriSign(VRSN) and CyberTrust because "a code review is a more thorough analysis and improves the fidelity of the application before it gets released, so you're hardening the application itself, whereas a Web application firewall is just a filter and, if you have security vulnerabilities in your software, the Web application firewall doesn't do anything at all."

Libersky disagreed: "Redoing code is a very long and costly proposition because you have so many legacies and so many security practices going back so many years, and then you have to reintegrate everything to make sure it works," he said. Also, hardened code is static, and cannot cope with the constantly changing attacks on the Web. "There's always going to be a methodology somebody's going to find to launch an attack," he added. "You have to be able to find solutions and react very quickly and accurately, and application firewalls encompass that concept."

There are other reasons firewalls will be the more desired solution: "It's probably pretty realistic to see Web firewall installation because most companies buy software off the shelf," Rick Caccia, vice president of product marketing at security information and event management products ArcSight(ARST) said. "Security issues happen when you wire things together, so in many cases it's not possible to come from the code inspection side; and attacks change on an ongoing basis, so people want something in place that understands the ongoing nature of attacks and a Web appliance firewall is the answer."

The best protection is to have an end-to-end solution combining source code reviews, vulnerability scans and Web application firewalls. "Source code is like scouts in the NFL; they say 'based on what we see here, how many pushups this guy can do, how fast he can run, it looks like this guy has potential, he'll do well in the game," Barnett said.

"Vulnerability scans are like intrasquad scrimmages ? you're playing against people on your own team and don't know what the other side, the bad guys are going to do. The Web application firewall is like a real NFL game; it's what really matters. But they're all complementary."

His recommendations for best practices: "Do source code fixes for new custom applications; do vulnerability scanning both in quality assurance (QA) before production, and then in production; then use a Web application firewall, both in production and development."