New Information Supplement Reinforces Need to Ensure Vulnerabilities Are Remediated Beyond Scanning
CARLSBAD, Calif., April 23, 2008 — Breach Security, Inc., the leader in web application security, today provided comments on the Information Supplement published by the Payment Card Industry (PCI) Security Standards Council (SSC) around the Data Security Standard (DSS) – Requirement 6.6, which is designed to protect web-facing applications from common application-layer attacks. The new PCI Information Supplement reaffirms the importance of deploying web application firewalls to comply with the PCI DSS.
Requirement 6.6 states that organizations must “ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
The Information Supplement also echoes the sentiment that organizations should be utilizing both of these security practices rather than selecting only one, stating “proper implementation of both options would provide the best multi-layered defense.” However, the PCI SSC realizes that it may not be either technically, nor fiscally, possible in all cases.
“In an ideal world, code is developed, scanned and any issues remediated prior to release into production,” said Ryan Barnett, director, Application Security for Breach Security, Inc. “In reality, web applications are dynamic in nature and change continuously, creating an inherent gap in protection and compliance. Breach Security WebDefend web application firewall provides uninterrupted protection and compliance.”
The critical issue facing organizations is not simply the identification of vulnerabilities, but rather resolving those security issues. There is an inherent gap between identification of a vulnerability and remediating the issue with an updated code fix. This is the core issue in Requirement 6.6—to implement an effective remediation process to prevent successful web attacks.
The prompt and accurate remediation of identified vulnerabilities is critical for protection of cardholder data. While code fixes are considered best practice, not all vulnerabilities and coding errors can be easily resolved. Third-party, legacy and acquired applications challenge this best practice.
Breach Security WebDefend web application firewall goes beyond scanning by providing continuous security for the entire protected application. WebDefend monitors web applications in real-time, prevents attacks and data leakage and alerts on any security events detected. Furthermore, it ensures that all components of the application are assessed for security defects and that the application is continually tested for the latest vulnerabilities, even as new code is deployed.
Only WebDefend provides organizations with the flexibility to remediate code based on a detailed forensic data capture or to implement automated attack prevention. This addresses the core issue in Requirement 6.6—to implement an effective remediation process to prevent successful web attacks.
Breach Security is offering further comment and clarification via a live webinar on Friday, April 25, 2008 at 8:30 am Pacific / 11:30 am Eastern. The webinar will be repeated on Thursday, May 1, 2008 at 8:30 am Pacific / 11:30 am Eastern. Visit www.breach.com/PCIwebinar to register.
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.
The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and point of sale vendors are encouraged to join as Participating Organizations.
WebDefend is an advanced web application firewall that offers customized, behavior-based security for each protected application. Only WebDefend uses a patent-pending profiling system and multiple, collaborative detection engines to ensure the flow of business-critical traffic while supplying complete protection for applications to keep the organization’s confidential information safe from targeted attacks. Deployed out-of-line, WebDefend uniquely provides non-intrusive, effective security for multi-application environments while continuing to provide full blocking capabilities. In 2008, WebDefend has been praised for its attack detection and prevention, ease of use, performance and targeted PCI features in reviews by major industry publications including SC Magazine and Information Security magazine, a TechTarget publication.
Breach Security, Inc. is the leading provider of real-time, continuous web application security that protects sensitive web-based information. Breach Security’s products protect web applications from hacking attacks and data leakage, and ensure applications operate as intended. The company’s products are trusted by thousands of organizations around the world, including leaders in finance, healthcare, ecommerce, travel, and government. For more information, please visit www.breach.com.
###
Breach Security and WebDefend are trademarks of Breach Security, Inc. All other brand, product and service names are the trademarks, registered trademarks or service marks of their respective owners.