Profense
ensures PCI DSS section 6.6 compliance
Every company
today has a presence on the Internet. The number of web applications
(e-commerce, extranet, content management system, etc.) is increasing,
and their growing importance to all aspects of business is obvious.
But it
is estimated that 70% of current web applications are still open to
attack.
While IT
professionals work to secure the network perimeter, web applications
continue to remain vulnerable. Web application vulnerabilities threaten
not only the organization running the application, but also visitors
to these websites. These visitors may lose their privacy.
Regulators
are therefore increasingly requiring companies to secure their web applications
and thus to purchase web application firewalls, such as Armorlogic’s
Profense.
Sarbanes
Oxley, the Gramm-Leach-Bliley Act,
HIPAA, the UK Data Protection Act,
Payment Card Industry Data Security Standard (PCI-DSS), and other
regulation require companies, throughout the world, to protect the web-based
data which they control.
PCI DSS
Refer
to Information Supplement
In particular
the updated standard for securing websites accepting major credit cards,
The Payment Card Industry Data Security Standard (PCI DSS 1.1), is very
specific and prescriptive about web application security. In section
6.6 it requires that either
- an application layer firewall is in place protecting web facing
applications, or
- that web facing applications are tested by web security specialists.
Other standards
are less prescriptive but PCI-DSS is likely to set the future standards
of website security as it will serve as a guideline for auditors evaluating
the strength of a company’s security provisions.
Of course,
from a technical standpoint, the best option would be to go for both
(securiy testing and application firewall) but from a business perspective
a lot of companies are likely to choose one of the options as only one
is required, especially when they have to choose between $25K+ options,
with high re-occurring cost.
Choosing
the application firewall path, one option is to go for do it yourself
manually configured open source application firewall solutions. For
some it will work but as applications and website content tend to change
over time (sometimes without the security administrator knowing it)
the policy needs to be adjusted to reflect changes. Also this solution
requires that the security administrator is skilled at regular expressions
and that he/she has the complete picture of the web sites and applications
including all input options.
There is
no such thing as a free lunch and the price of the open source solution
is a lot of time spent creating and adjusting the policy.
Another
option is to go for an automated appliance based solution which will
automatically learn normal application behaviour and configure a policy
allowing normal application use. These solutions will provide excellent
protection but a lot of companies are put off by the price tag.
What is special about Profense™?
Clearly,
for a lot of companies the perfect solution would be an affordable automated
solution allowing for fast track implementation of web application security.
That's Profense™ Professional. It fits the gap between the "hard
to manage and configure" and the expensive automated solutions
allowing for a more balanced approach in terms of time/money spent on
the solution. There may even be money left for application security
testing.
Some reasons
for Armorlogic being able to offer Profense™ at such attractive
prices are that:
- Profense
is a "do it yourself appliance". We provide an ISO image
with a complete package including a minimalized OS (OpenBSD) which
will turn a piece of server hardware into an appliance. Thus Armorlogic
does not have to spend money on specialized hardware.
- Others
have done a lot of work for us making high quality Open Source software
(OpenBSD, Apache, OpenSSL, etc.).
- We rely
high numbers instead of high margins.
|
|
|
|
