Today I was working on a presentation about PCI DSS 3.0. Since a major client of me is an international payment service provider doing credit card transaction, I am quite familiar with PCI DSS 2.0. I have already read the new Standard a few months ago, but today I stumbled about an interesting sentence in the Testing Procedure for PCI Requirement 6.6 (WAF) that makes me wonder about PCI DSS 3.0.<\/p>\n
PCI DSS Requirement 6.6 forces companies to either use a Web Application Firewall (or some technical equivalent) or forces companies to perform manual or automated application vulnerability security assessments after every change:<\/p>\n
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
\n[..]
\n– Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.<\/p><\/blockquote>\nDoing automated application vulnerability security assessment is a little bit tricky and needs a software development team and process on a high maturity level. I assume that most companies comply with Requirement 6.6 by using a Web Application Firewall (WAF). Companies can write their own rule sets for a WAF, use a rule set from the WAF\u2019s vendor or use some rule set from OWASP (OWASP CRS Core Rule Set). Anyway it is useful to activate the blocking \/ enforcing mode of the WAF to actually prevent attacks. That is industry best practice and is or better maybe was required by PCI DSS when companies deployed a WAF to comply with Requirement 6.6<\/p>\n
Despite a lot other changes there is a new sentence in the Testing Procedure of PCI Requirement 6.6, which seems a little awkward. Pay attention to the last sentence:<\/p>\n
6.6 For public-facing web applications, ensure that either of the following methods is in place as follows:
\n[..]
\nExamine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows:
\n– Is situated in front of public-facing web applications to detect and prevent web-based attacks.
\n– Is actively running and up to date as applicable.
\n– Is generating audit logs.
\n– Is configured to either block web-based attacks, or generate an alert.<\/strong><\/p><\/blockquote>\nSo, I want to repeat it: WAF “Is configured to either block web-based attacks, or generate an alert.<\/strong>\u201d Sorry, but what the fuck? After years of PCI DSS now it is okay to deploy a WAF in monitoring mode. At least it needs to generate alerts\u2026<\/p>\n
If found two links on the web, which also states this as a problem. Someone in a high position at Gartner[1] and some slides about PCI 3.0[2]. I tried to clarify this with our QSA Company, but just did a short answer, that a WAF needs to block attacks and no comment to this last sentence in Testing Procedure of 6.6. I decided to write an E-Mail to the PCI DSS Council and hope to get an answer that explains it. I will post the answer, if and once I get one.<\/p>\n
For the security of customers\u2019 credit card information I really hope this is some sort of mistake or typing error. Anyway I assume there will be some QSAs out in the world, which will accept a WAF in monitoring mode \u2013 It doesn\u2019t matter if it was an error, if PCI DSS is treated like a law text and not correctly interpreted. And if this is no error and done on purpose, I wouldn\u2019t really understand that change of mind in the PCI Council.<\/p>\n
[1] http:\/\/blogs.gartner.com\/anton-chuvakin\/2013\/11\/08\/briefly-on-pci-dss-3-0\/
\n[2] https:\/\/www.netspi.com\/blog\/entryid\/207\/things-not-to-overlook-in-the-new-pci-dss-3-0<\/p>\n10\/30\/2014: The Council’s response<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I was working on a presentation about PCI DSS 3.0. Since a major client of me is an international payment service provider doing credit card transaction, I am quite familiar with PCI DSS 2.0. I have already read the new Standard a few months ago, but today I stumbled about an interesting sentence in … [Read more…]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[215],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-psauer","4":"post-1464","6":"format-standard","7":"category-pcidss"},"_links":{"self":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/1464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/comments?post=1464"}],"version-history":[{"count":15,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/1464\/revisions"}],"predecessor-version":[{"id":1598,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/1464\/revisions\/1598"}],"wp:attachment":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/media?parent=1464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/categories?post=1464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/tags?post=1464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}