Secure delivery

In his most recent visit to the Middle East, Guy Rosefelt, manager, app firewall international technical operations, applications network group at Citrix Systems, discussed the ramifications of the PCI DSS compliance standard, and how enterprises can get more from their web application firewalls.

  • E-Mail
By  Sathya Mithra Ashok Published  July 19, 2008

Other customers who don't have the luxury or financial resources to work along those lines, are being more diligent about standards. They are also aware that there are other issues that come into play.

It is not just PCI DSS, institutions have to meet other requirements, like Basel II. Considering the fines that are levied and the sanctions that are imposed, these firms try hard to meet standards.

So smaller companies are actually doing a better job than bigger companies, because they are less likely to be able to take the hit than the big ones.

Gartner states that app firewalls are not enough and that software code review is a better way to ensure IT security. Do you agree with that?

There is nothing like good secure code. The whole point of putting web app firewalls in place is because the code is not secure.

I agree that there is no single line of defence. Traditional security thinking is that it is a layered approach and, honestly, it is always going to be a layered approach. What the layers are, and how they work together, are probably going to be changing over periods of time.

There is nothing better than having good secure code. If I have good secure code, by definition, it is not vulnerable to things I need to be worried about. The whole purpose of putting the web app firewall in place is because the code is not secure. And the code is not secure because the majority of developers are people who don't understand security. They were taught to write code, really fast. They are just not taught that security breaches go with that. So you don't have secure code.

The US military has standards for software development and there is a lot of validation that needs to be done. In terms of how the app works, in terms of how you verify the data going into an app to ensure it is the right kind of stuff. Now take a banking app, which probably passes millions of dollars of more information than a government app ever could.

In fields that are supposed to trap 11 numbers, I can type in an impossibly huge string to break the app, because some apps are not designed to make sure that only 11 digits go in the form and nothing else.

That is a very big thing - if they did really simple validation on all the fields in the form that would cause a good portion of all the vulnerabilities to disappear. With that done, they would still need something to protect the app. That is where web app firewalls come in.

PCI DSS came out with the standard stating, you need to have code review or a firewall. And they came up with a clarification that said, for the best of both worlds, you want to have both. You need a firewall, and you need a code review to rectify the code.

The thing about the code review is that you have to do it everytime you change the app, for which you need to review the entire app. The code review must specifically look for vulnerabilities, but most tools don't do that; most people who do the review don't even know what the app is for.

So I personally advocate that you need the app firewall, and you need to do the code review. PCI DSS mandates that every time we change the app a code review must be done. A code review takes anywhere from three weeks to five months, and costs anything from $25,000 to $100,000. If I make a change on a weekly, bi-monthly basis, this means I have to redo processes and that is not entirely efficient.

With app firewalls, companies can protect apps, and then plan the code review process in a pattern that makes more sense. Maybe on a semi-annual basis when they can put all the changes together and then verify everything to make sure it works. But enterprises definitely still need to put in place both measures together.

What percentage of global enterprises, do you believe, will be compliant by the PCI deadline of June 30, 2008?

We are at about the same place as we were with Y2K, where people are scrambling till the very last minute to get things done. Obviously, there are lots of people in the process of doing PCI compliance testing but it is probable that 40% to 50% of organisations around the world will not be compliant. Latin America has been given an extension because their infrastructure just does not support it.

There are people in the Middle East who might be expecting the same, because they don't want to do it. The bigger organisations will take the hit, the smaller ones are doing more. Around 50% of the global organisations are still not going to be compliant, come June 30th.

It is going to be the same average overall, in the Middle East and elsewhere. But the problem piece with compliance is the security plan. I know a lot of people who are building the infrastructure but their processes are not going to be complete.

So just because they have the stuff in place does not mean they can comply with the process. So you are going to see people who are going to be late to getting audited. It will drop from 50% to lower, probably by the third quarter of the year, maybe by the end. People are working till the last minute to get there.

The question is going to be, whether credit card firms will start enforcing the sanctions. Are they going to do it on June 30th, 2008? Probably not. Given three months, maybe. How much time are they going to give? We don't know. However, the longer they give for compliance, the more chance there is of a breach.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code