The revised Payment Cards Industry Data Security Standard (PCI-DSS) that was released last Thursday did not provide any ground breaking news regarding the requirement for the protection of publicly facing web-applications against vulnerabilities and web-application attacks.
Theoretically merchants that are bound to PCI-DSS compliancy still have two options. Either use an automated technical solution (this is the new term PCI Security Council gives to Web Application Firewalls) to protect the merchant’s publicly facing Web applications, or alternatively, merchants can review all of their public-facing web applications with vulnerability security assessment tools and ensure that there are not known vulnerabilities.
Here lies the difference between theory and reality. PCI requires merchants to review their web-applications after each change (or at least once annually). This turns this vulnerability assessment and fixing solution into a non-practical solution. To better understand this let’s refer to the 2013 WhiteHat Web Site Security Statistics Report. 91% of e-retail sites that were analyzed for the survey had at least one serious vulnerability. On average, e-retail web sites had 106 serious vulnerabilities per year. The most interesting data-point from this report is that it took 224 days to fix these vulnerabilities.
This has several implications. If it takes 224 days to fix these vulnerabilities, this means that for almost 2/3 of the year the site is vulnerable to attacks and is not compliant with PCI-DSS requirements. More importantly, reading further in the WhiteHat’s report, we find out that 60% of the e-retailers change their applications once a month and 40% of e-retailers update their sites once a week or more. This means that it takes more than seven months to fix the vulnerabilities, while applications are changing, which in turn, can potentially create new vulnerabilities on a daily, weekly or monthly basis.
Don’t get me wrong. I’m all for secure development of web sites and applications. I feel web sites should be scanned for vulnerabilities and once found, they should be fixed. However, this can be a little complicated. If you are part of the security group on the retailer’s side, you are not always aware of changes the application team is making. Even if you are aware, the code is sometimes written by a third party or it is a legacy code that no one knows how to change it anymore.
The bottom line: Building your web-site security infrastructure on vulnerabilities scanning and fixing is not practical. Making your PCI-DSS compliance rely on these scanning and fixing may cause your company not to pass PCI-DSS audits and not to comply with the regulation.
Complying with PCI-DSS requirements for secure Web applications (requirement 6.6) and securing your web application only has one practical solution: Web Application Firewall (or to follow the new term used by the PCI Security Council – “automated technical solution.”) All WAF solutions offer web protection at the application level, most of them comply with the Open Web Application Security Project (OWASP) Top Ten Threats, and they all offer a combination between Positive and Negative security models.
On the other hand, WAF solutions are known to consume lots of application management resources (that’s you and your workers). This is where the difference between a practical WAF solution and a not so practical one lies. One of the key selection criteria for your next WAF solutions should be the ability to automatically adapt the solution’s protection policies without human intervention and with as low as possible false-positives and false negatives.
With so many rapid changes, the automatic ability to adapt the WAF policies is the only way to ensure that your site is protected even as it is evolved and changed, without investing too many resources in keeping its security mechanisms up to date. It allows alignment of the Web application life cycle development process with the protection process. It ensures that the web application security is applied in a timely manner and enables protection while applying new changed.