Enterprise Application Security - How to Balance the Use of Code Reviews and Web Application Firewalls for PCI Compliance

24 Pages Posted: 9 Sep 2008 Last revised: 14 Sep 2008

Date Written: September 7, 2008

Abstract

Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance [1] has passed and well documented breaches have heightened the public and regulatory agencies' concerns about how well companies are securing consumer-specific information. Despite some initial advances, sensitive information is still frequently stolen. Internal threat an issue, magnified by extended partnerships which ultimately lead to more tasks will be performed outside company facilities. In increasingly complex technical and business environments, no one security approach can deal with all the new and innovative intrusions. But the lack of a security silver bullet doesn't mean data security is impossible. It simply means that businesses have to take a multi-pronged approach to data security.

This article is based on a project case study in protecting an enterprise application environment, including web-oriented applications. The article is PCI 6.6-oriented and compares the use of Web Application Firewalls (WAF) or code reviews for web-facing applications. It also addresses code scanning that is not web related. Extending the code reviews into the non-web applications, we also briefly discuss other types of protections. Other articles already discussed how to protect from SQL Injection into the database, or internal threats, including a DBA that impersonates a user. The section "Protecting the Data Flow" includes a few pointers to resources discussing protection of the enterprise data flow. The code review section is longer since this is an evolving area from a PCI perspective focusing on WAF and complementary code scanning. This article will compare WAF and web-based code reviews, and point to resources [15] discussing the whole data flow, which then involves much more than C/C code scanning. The part concerning code analysis isn't web-oriented, but it's about C/C /Java source code scanning, though it has some general parts. The case study from company ABC recommended using both WAF and coding reviews.

Keywords: PCI, visa CISP, SB1386, compliance, mastercard

JEL Classification: C88

Suggested Citation

Mattsson, Ulf T., Enterprise Application Security - How to Balance the Use of Code Reviews and Web Application Firewalls for PCI Compliance (September 7, 2008). Available at SSRN: https://ssrn.com/abstract=1264694 or http://dx.doi.org/10.2139/ssrn.1264694

Ulf T. Mattsson (Contact Author)

Protegrity Corp. ( email )

One Cantebury Green
Stamford, CT 06901
United States

HOME PAGE: http://www.ulfmattsson.com

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
113
Abstract Views
1,130
Rank
471,992
PlumX Metrics