PCI v1.1 Section 6.6 (a bit of clarification please)

Published 16 March 07 04:04 PM | Dennis 

If you are dealing with PCI (https://www.pcisecuritystandards.org/)  in your job I’m sure you have read the PCI v1.1 standard.  You may have noticed that section 6.6, which makes either testing your applications or using some sort of app firewall is mandated for June 30, 2008.  Specifically it says:

Section 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of
the following methods:
•         Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
•         Installing an application layer firewall in front of web-facing applications.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a
requirement.

Upon reading this I was confused as to whether this meant you had to hire someone to go digging through your code or would other means work.  After digging around for a long time we finally got an “official” resolution to this ambiguity.  Specifically we asked the PCI council if a tool like WebInspect or other application assessment tool would meet this requirement.  Here is what they said:

**** Email from the PCI Council ****
The answer to your inquiry is as follows.
 
Using specialized 3rd-party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code review requirement in PCI Data Security Standard requirement 6.6, if the company using the 3rd-party tool also has the internal expertise to understand the findings and make appropriate changes.

The PCI Security Standards Council will look to clarify this section of the standard during the next revision, to include that testing of web-facing applications can be done via source code review or products that test the application thoroughly for defects and vulnerabilities (when internal staff have the skills to use the tool and fix defects). The PCI Security Standards Council will also consider including prescriptive requirements as to what both the application firewall and application analysis tool or process should test for.
 
Thank you and regards,

The PCI Security Standards Council Response Team
<email available upon request>

 **** End of Email ****

So there you have it, you don’t have to go through every line of code, or even hire someone else to do it.  You can use other means, including application assessment tools like WebInspect and AMP, to test your applications. 

Filed under:

Comments

# Dennis said on March 21, 2007 8:47 AM:

Jeremiah Grossman posted an interesting response to this blog post.  You can read it here

http://jeremiahgrossman.blogspot.com/2007/03/pciv11-sec-66-clarification-leads-to.html.

I think he makes some good points about the need for people be property trained.  I should have mentioned that more clearly in my post but I was discussing tools so training slipped my mind.  So for the record: Whatever technique you use to comply with Section 6.6 of PCI make sure the tester is properly trained.   Actually, make sure your testers are properly trained no matter why you are assessing the security of your web applications.   The best tool in the hands of an inexperienced or untrained user will not perform like you need it to.

# Michael Sutton's Blog said on January 31, 2008 10:49 AM:

Welcome to 2008. By now you have no doubt made and broken a number of Ney Yea r&#39;s resolutions. Not

Anonymous comments are disabled