Society of Payment Security Professionals - Payment Security Blog

What is an Application Firewall?

The moment news broke of the new PCI Security Standards Council (PCICo) and the addition of requirement 6.6 everyone has been asking, “so what constitutes an application firewall?” Does it have to be an application or appliance? What features must it have? These questions are just like the ones asked when people read requirement 11.3, mandating a penetration test. They asked then what constituted a “penetration test”.

Everyone knows what an application firewall is, but different people will have divergent views on what attributes or qualities it should provide. Hopefully the Web Application Security Consortium can put to rest these questions. They have published the Web Application Firewall Evaluation Criteria (v1.0 PDF) to answer some of these questions.

The goal of this project is to develop a detailed web application firewall evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution.

The OWASP web site notes:

Under the new requirements, applications processing cardholder information MUST get either a code review or a web app firewall. The language isn’t exactly clear about what happens in 2008. In addition, the OWASP Top Ten must still be addressed.

Please don’t forget the OWASP Web Application Security Standards (WASS) project. You can view the security framework online.

Also, another

ModSecurity, an open source intrusion detection and prevention engine for web applications, may be just what organizations need to fulfill PCI DSS compliance obligations without the sticker shock.

According to a recent Forrester Research report on Web Application Firewalls (Q2 June 2006), “…ModSecurity is by far the most extensively deployed Web application firewall, with more than 10,000 customers.” and “ModSecurity’s stringent implementation standards — build nothing unless you approach the highest level of security — will push the entire Web application firewall market toward higher-quality products.”

I’ve been recommending ModSecurity for a long time and my bet is we’ll see huge surge in installations. Especially since commercial licensing, support, and a soon-to-be-released ModSecurity Console is on the horizon.

So what is a web application firewall? My advice is, you will know one when you see it.

Update: I’m very impressed to see companies monitoring what the public is saying about them and then actively participating in that conversation. Kevin Overcash, VP Product Management at Breach Security says:

The aforementioned WASC Web Application Firewall criteria does indeed provide a very good overview into the features that are possible with this devices. Web applications firewalls can be deployed as embedded host-based modules on Web servers or deployed inline or out-of-line for appliances.

Thinking Stone, the company started by Ivan Ristic the developer of ModSecurity and the open-source web application firewall ModSecurity was recently acquired by Breach Security.

Ivan and Breach Security will be releasing a new version of the open-source ModSecurity along with a console and rule sets in mid-October. A commercially supported version of the host-based software will be also be available in mid-October.

Breach Security will also be releasing an easy to deploy web application firewall appliance based upon ModSecurity for less than $6000 in mid-November. This appliance may be preconfigured with an optional PCI rule set which will provide compliance for section 6 of the PCI standard in mid-November. When deployed with the PCI rule set, the ModSecurity appliance can be installed by IT without requiring in-depth security expertise.

(It should be noted that Breach Security only acquired ModSecurity a week ago.  Impressive PR action.)