I have a love-hate relationship with PCI-DSS. Love it because it provides IT Security a firm lever to do something about web application security. Hate it because the way the process has been implemented. No matter what though I remain generally optimistic and eager to read whatever clarification the council offers as to the ambiguity of section 6.6. We all know the deadline is right around the corner. So when Standards Council General Manager Bob Russo took the time to comment about section 6.6 in a recent Information Security magazine article, I was keenly interested because customers ask me questions daily about it.
The first thing we’re told is a draft (1.2 or 2.0) will be out for review in August with the official version slated for September. Fortunately Bob revealed the industry wouldn’t be left hanging without official guidance prior to the June 30 deadline passing. They are going to, “clarify a lot of this stuff”, and the sooner they do better. One can only hope they do a good job because so far there is no authoritative clue to be had that I can find. BUT… here comes the kicker, check out the last snippet:
"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews.”
Whoa, that’s HUGE and should send a lot of people reeling. Bob Russo comes right out and says 6.6a is “source-code review”, contrary to some beliefs that black box scanning/analysis may fit the bill. Typo/misquote? Unknown for sure. Secondly, and more astonishing, his candor that the OWASP-based testing process (what's that?) is not possible anyway. I can only think that the council did the math as I have that the source-code review method is simply too cost prohibitive at internet-wide scale. We're talking potentially billions in cost, not mention too many vulnerabilities to fix anyway. The next bombshell…
"So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do.”
To me this basically sounds like a WAF endorsement and a dream come true to all the vendors out there. I can almost here the PR machines gearing up for a marketing blitz on this one before the impending “clarification” imposes any doubt. Good thing I've been getting well educated in this space and familiarizing myself with the players technology. Everyone said I was crazy a year ago exploring this route, but here we are.