Web Application Firewalls and PCI DSS
by Ulf Mattsson - CTO of Protegrity - Monday, 19 January 2009.
We all know that time is a critical factor in selecting solutions to prevent breaches. Web Application Firewalls (WAF) are the most effective mechanisms to immediately address security issues since the security rule set can be adjusted to stop new attack types without requiring system downtime while youíre changing the application code.

Web applications are increasingly becoming malicious hackersí favored attack vector, with over 46 percent of all data-stealing attacks now conducted via the Web according to a recent study by WebSense. And, due to data thieves growing use of automated tools, new web application vulnerabilities are being exploited within 24 hours after the threat is first disclosed according to a recent report by IBMís xForce. Since patching is rarely a quick and easy affair in a business environment, attackers have a good chance of getting into a system before an enterprise can address a vulnerability.

Malicious hackers like web applications because they have built in, exposed mechanisms that have connectivity to the data the attacker is after -- credit card numbers and/or other exploitable information. It makes no sense to compromise an entire system when you can manipulate one application into releasing the data that youíre looking for. It doesnít even take a skilled attacker to successfully carry out such an attack; tool kits that automate the process are readily available for less than $300. Some kit providers even offer technical support services.

And since most security protection still resides at the network, not application layer, the chances of getting caught are much lower. Additionally application attacks are much harder to catch and prevent at the network layer, because the network components donít understand the application, its logic, or which resources should be accessed and by which user roles. Common vulnerabilities and exposures across the Web include application-level attacks such as cross-site scripting, SQL injection and buffer overflows.

WAF provides a quick solution for PCI 6.6. WAF can protect custom applications, 3rd party applications, and legacy applications - even in cases where the organization does not control the source code (as for SAP, Oracle, PeopleSoft web applications and portals) and where the people who understand the application are no longer accessible. It is also important to minimize the number of bugs in applications. No matter what tool used, this should be accompanied with code reviews, appropriate testing including such as fuzzy testing, code standards that are followed, and proper education. You can find best practices in protecting web based applications here.

Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //