PCI Compliance Madness - See! I'm not insane!

RafalLos — Sat, 25 Oct 2008 05:41:00 GMT

Rich Mogull over at Securosis totally nailed it. This article he put up talking about the Web Application Firewall (although it's still a mis-named product, see my rant here) vs. secure coding is brilliant. I've been saying this since I can remember hearing about "WAFs"... and it's nice to see someone out there that people actually recognize (Rich is an industry heavyweight) echo this sentiment... although the analogy of using Cajuns and gumbo is probably beyond my abilities :)

Still thinking about this as I sat here and re-read the PCI DSS current standard (and supporting documentation)

{PCI DSS}
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes

Installing a web-application firewall in front of public-facing web applications

{/PCI DSS}

A few things immediately hit me that I felt the immediate need to comment on, because my mind now thinks in terms of "if I'm a business leader, how do I find loopholes in this...". Here are my thoughts:

I am having an issue with the term public-facing being there. I'd be OK with business-critical or something that indicates the application/site hosts critical data (such as user information, credit card numbers, etc). What if I'm a business and I have 100 "public-facing" sites, but they just all happen to be brochure-ware. Granted I am a card processor. Does it make sense to put non-mission-critical (or containing no critical data) sites through this review process?
"... after any changes" - so if I change the background, or add new legal verbiage I have to re-submit my site to inspection? That makes no sense from a business perspective... does it?
Notice that it says "Review" and not "Review and mitigate any critical issues found within x time-frame"; does this bother anyone else?
The word "either" implies an OR clause here... why does the PCI DSS council see Security Review and added protection as an OR?

As you can guess, I can come up with no less than 5 scenarios where I'm [assuming I'm a business which should be compliant with this policy] going to be horribly security-deficient while still being PCI Compliant. So once again, I'm going to return back to this question and I want everyone to think about this carefully. Would you rather be PCI Compliant, or secure? Further, does compliance equal security?

Following the White Rabbit Blog : Web application firewall

PCI Compliance Madness - See! I'm not insane!