I am no compliance guru, but I have been involved in several efforts that were associated with compliance. So far of the ones I have seen I happen to think that the market-driven PCI DSS is the most effective. Perfect? Not even close, but at least it is somewhat specific, prescriptive, and sane. The updated PCI DSS 1.1 which is even more specific than the original contains a bit of a puzzler, compliant enterprises must have a Web App Firewall or source code review by June 2008. Jacob West:
It's fantastic that a standard as impactful as PCI, which already included language that addressed software security concerns, is progressing to include accountability in the form of code review. However, it's concerning that the standard calls for an either/or choice between an activity and a technology that are not at all parallel. Application firewalls are effective at preventing certain kinds of attacks, but they are not an adequate substitute for building secure software. Code review is an essential part of secure development and should be mandatory for sensitive applications, like the ones governed by the PCI standards.
Just seems like a case of standards impedance mismatch. Source code review as the above says should be included in any case. If you want to give companies an option besides a WAF that is fine, but I am not sure that this is the tradeoff. Also, a lot of what WAFs do is covered in the OWASP specs that the PCI already requires. In any case you do have to hand it to the PCI folks for at least moving the ball down the field on software security, a few companies may be confused along the way by these proposed tradeoffs, but hey the analyst firms will sort all that out, no?
Comments