a draft of the PA-DSS will be release by the PCI Council
One panelist, Kennet Westby from Coalfire Systems, pointed out that Requirement 6.6 should not be an either-or option, that is why code review is an integral part of the SDLC. This time, I made it up to the microphone before time expired, and asked if the council had considered making code review the sole requirement but allowing a WAF to be used as a compensating control. In my view, this seemed more closely aligned with the intent of PCI as a security standard. Incorporating code review into the development process is the best practice, whereas a WAF is essentially just a band-aid, not a replacement for code review. Granted, a SDLC cannot be put in place overnight, and a WAF can be effective as quick fix — something is better than nothing — but it certainly shouldn’t be an equivalent way to satisfy the requirement. Dave Wichers responded to my question, agreeing that code review was the “right way,” but added that a code review is not a viable option for many companies, thus they had to offer WAF as an alternative. Time depletion,So I still do not accurately understand what is the meaning of his by that,and I need to follow up to get more clarity on his comment. Still, I saw a few heads nodding and received a little positive feedback from a couple people in the audience, so I guess I’m not the only one thinking along these lines.
Staying on the topic of benchmarking for a moment, the WAF discussion is interesting. What percentage of attacks do people think these are actually stopping? Is it 80% or 20%? I have not ever seen any fixed data here,though anecdotally, the reviews certainly have not been glowing. This is a large of an undiscovered as FP/FN rates of code analysis tools. If benchmark scrutiny is going to hold up automated code analysis, then WAFs and manual assessments need to be as well.
Overall, I found that the sessions were probably a little bit on the short side. At each session I attended, there was never enough time at the end to address audience questions. Many of the audience members were from companies working toward PCI compliance.So the questions tended to revolve around interpretation of the PCI language and intent (Is such-and-such considered a compensating control? What is the meaning of you by connected entities?), discussion of the technical merits of the security requirements with less time.
Mail this post
Tags: PCI, PCI compliance, PCI compliant, PCI DSS, PCI DSS compliance