The tangled web of PCI compliance

With PCI security standard becoming a requirement, retailers prepare for implementation

He recommends getting a source code review from Security Innovation or other players in the field, such as Cigital, Deloitte & Touche, VeriSign(VRSN) and CyberTrust because "a code review is a more thorough analysis and improves the fidelity of the application before it gets released, so you're hardening the application itself, whereas a Web application firewall is just a filter and, if you have security vulnerabilities in your software, the Web application firewall doesn't do anything at all."

Libersky disagreed: "Redoing code is a very long and costly proposition because you have so many legacies and so many security practices going back so many years, and then you have to reintegrate everything to make sure it works," he said. Also, hardened code is static, and cannot cope with the constantly changing attacks on the Web. "There's always going to be a methodology somebody's going to find to launch an attack," he added. "You have to be able to find solutions and react very quickly and accurately, and application firewalls encompass that concept."

There are other reasons firewalls will be the more desired solution: "It's probably pretty realistic to see Web firewall installation because most companies buy software off the shelf," Rick Caccia, vice president of product marketing at security information and event management products ArcSight(ARST) said. "Security issues happen when you wire things together, so in many cases it's not possible to come from the code inspection side; and attacks change on an ongoing basis, so people want something in place that understands the ongoing nature of attacks and a Web appliance firewall is the answer."

The best protection is to have an end-to-end solution combining source code reviews, vulnerability scans and Web application firewalls. "Source code is like scouts in the NFL; they say 'based on what we see here, how many pushups this guy can do, how fast he can run, it looks like this guy has potential, he'll do well in the game," Barnett said.

"Vulnerability scans are like intrasquad scrimmages ? you're playing against people on your own team and don't know what the other side, the bad guys are going to do. The Web application firewall is like a real NFL game; it's what really matters. But they're all complementary."

His recommendations for best practices: "Do source code fixes for new custom applications; do vulnerability scanning both in quality assurance (QA) before production, and then in production; then use a Web application firewall, both in production and development."