D/DoS mitigation hardware/software needed.

Darren Bolding darren at bolding.org
Tue Jan 5 08:58:03 UTC 2010

I know of several companies, with large websites, that used code reviews as
at least one way they met this DSS requirement.  So, erm, empirically

The PCI DSS does not require code review of the software running in COTS
equipment, nor of underlying OS's or applications.  It requires a code
review of the application code that is inside PCI scope.  In general, this
means the code you write to run your website is the maximum scope of this

Plenty of companies allow code reviews for security and other purposes, and
with good reason.  There exist entire practices in IT security firms
dedicated to performing code reviews, and they appear to be growing.

Also, the PCI security council allows people to use automated code auditing
tools (such as fortify), performing a manual "application assessment"- which
plenty of firms will let you pay them to do, or even to use an automated web
application security scanners.  Several vendors of
Vulnerability Assessment tools that meet this spec are available.

I believe their is strong evidence that the use of web application firewalls
to meet this DSS requirement is smaller than you might think.  I would not
be surprised if it was significantly less than 50%- perhaps 20%.

To make the operational content clear- if someone tells you that you need to
buy a Web Application Firewall to meet PCI requirements (process credit
cards), be aware that is not the only option.  I'd recommend you choose the
option that is most likely to genuinely improve the security of your
infrastructure and business, which may well be a WAF.


On Mon, Jan 4, 2010 at 11:54 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

> On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:
> > PCI DSS does not require a "Web application firewall".
> <
> http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1313797,00.html
> >
> Since no business is going to allow an external 'code review' (if it's even
> possible, given that they're likely using COTS products, the source code of
> which they simply don't have), this defaults to a requirement for the 'Web
> application firewall'.
> ;>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>    Injustice is relatively easy to bear; what stings is justice.
>                        -- H.L. Mencken

--  Darren Bolding                  --
--  darren at bolding.org           --

More information about the NANOG mailing list