Trey Ford, director of solutions architecture, WhiteHat Security
May 12, 2008
Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance, June 30, 2008, approaches. Most are still evaluating how to strategically ensure compliance with this requirement, while maintaining a strong security posture.
The addition of stringent industry guidelines for web application security is long overdue. With the escalating threat of web attacks, organizations must remain vigilant. Web applications are a special breed of living code -- always online, always accessible, always being modified, and always subject to attack. Diligent web application security demands frequent assessment/attack research and findings targeting specific web applications are posted daily.
Requirement 6.6 is currently the subject of debate due to confusing terminology and the objective has been veiled by clever vendor marketing campaigns promoting specific solutions.
What does PCI Requirement 6.6 really say?Requirement 6 is about "developing and maintaining secure applications and systems." Requirement 6.1 requires that vendor-supplied security patches be applied within one month of release. Securing and fixing custom application code is not quite as easy as downloading a patch from your favorite software vendor. web application vulnerabilities must be identified, fixes developed, tested, and deployed. In short, you're on your own for the entire process.
Specifically, PCI Requirement 6.6 mandates the following:
PCI DSS version 1.1 Requirement 6.6: Ensure that web-facing applications are protected against known attacks by applying either of the following methods:
