Society of Payment Security Professionals - Payment Security Blog

Application code review vs. Application layer firewall

PCI DSS Requirement 6.6 says, “Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:”

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.

Dennis wanted more information so he requested clarification from the PCI SSC. The question was if you had to hire someone to perform a complete code review. You can read the response here. Dennis then concludes:

So there you have it, you don’t have to go through every line of code, or even hire someone else to do it. You can use other means, including application assessment tools like WebInspect and AMP, to test your applications.

Jeremiah feels this creates more interpretation problems because of the following qualifiers provided by the PCI SSC.

• “…also has the internal expertise to understand the findings and make appropriate changes…”
• “…when internal staff have the skills to use the tool and fix defects…”

At the end of the day, the focus of this requirement should be on securing the web application. The two options for this requirement should not be compared as apples-to-apples, but it that is OK.

Even with the requirement for secure software development, the attackers are coming out with better methods to had web applications. As a result, the new rule is put in place to require web application firewalls. The option for a code review is a fall back, and not comparable. It is only offered because some companies may not be able to implement a web application firewall and (it sounds strange) will want to meet the intent with something else… an application level code review.

PCI likes to give options. I don’t see why people see this as a bad thing.