Security Basics mailing list archives

RE: DSS

From: "Bassill, Peter" <Peter.Bassill () galacoral com>
Date: Fri, 23 May 2008 16:39:04 +0100

In order to full fill requirement 6.6, you must either have an application layer firewall in front of your 
applications, or perform code reviews. You can do both, or you can do either.

From the application layer firewall standpoint, this can be mod_security on the webservers as long as the signatures 
are updated in a timely manner (every day if required) or it can be a full blown application layer firewall.


For the code review, inter team peer reviews are an acceptable method of code reviews as long as these are fully 
documented. I would mention that for major new code releases, it would be advisable to have these tested by a external 
third party.

The simplest, and most cost effective in the short term is probably the inter team code reviews, along looking longer 
term you might want to look at an app layer firewall.

Hope this helps you.

-----
Peter D. Bassill
Group Information Security Officer
Gala Coral Group

(w) 01483 766766
(m) 07789 260643


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
Sent: 23 May 2008 14:53
To: security-basics () securityfocus com
Subject: PCI: DSS


Hi all,

Can anyone confirm for me what sort of workarounds there are concerning
PCI:DSS and application layer firewalls?

Requirement 6.6 of the standard states this:

6.6 Ensure that all web-facing applications are protected against known
attacks by applying either of
the following methods:
* Having all custom application code reviewed for common vulnerabilities
by an organization
that specializes in application security
* Installing an application layer firewall in front of web-facing
applications.
Note: This method is considered a best practice until June 30, 2008,
after which it becomes a
requirement.

We already have our custom code reviewed, but Im wondering if I
absolutely must sort out an application layer firewall or if there is a
workaround that would be acceptable for a level 1 merchant.

If there are any knowledgeable auditors (qsa etc) out there I'd really
appreciate your help on this one.

Many thanks
Pete


A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where 
personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails 
that ask for confidential, personal security information or details regarding your account status.

The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.

The contents of this message and all attachments have been sent in confidence for the attention of the addressee only.  
If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the 
sender immediately of the error in transmission.

"sit-up ltd, registered in England No: 03877786.
Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."


This email has been sent from Gala Coral Group Limited ("GCG") or a subsidiary or associated company. GCG is registered 
in England with company number 4639005.   You can contact us at GCG's registered office address:

Glebe House, Vicarage Drive, Barking, Essex, IG11 7NS, United Kingdom (marked for the attention of the Company 
Secretariat).  You can also contact us by the following means: telephone: +44 (0) 20 8507 5767; fax: +44 (0) 20 8507 
5788; email: hq () galacoral com; website: www.galacoral.com.

This e-mail message (and any attachments) is confidential and may contain privileged and/or proprietorial information 
protected by legal rules.  It is for use by the intended addressee only. If you believe you are not the intended 
recipient or that the sender is not authorised to send you the email, please return it to the sender (and please copy 
it to hq () galacoral com) and then delete it from your computer.  You should not otherwise copy or disclose its 
contents to anyone.

Except where this email is sent in the usual course of business, the views expressed are those of the sender and not 
necessarily ours.  We reserve the right to monitor all emails sent to and from our businesses, to protect the 
businesses and to ensure compliance with internal policies.

Emails are not secure and cannot be guaranteed to be error-free, as they can be intercepted, amended, lost or 
destroyed, and may contain viruses; anyone who communicates with us by email is taken to accept these risks.  GCG 
accepts no liability for any loss or damage which may be caused by software viruses.

Current thread:

Re: PCI: DSS, (continued)
- Re: PCI: DSS Adriel Desautels (May 23)
- RE: DSS Nick Vaernhoej (May 23)
  - Re: DSS Adriel Desautels (May 23)
    - RE: DSS Nick Vaernhoej (May 23)
    - Re: DSS Adriel Desautels (May 23)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
    - RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)
- RE: DSS Bassill, Peter (May 23)
- Re: PCI: DSS Jason (May 23)
- RE: DSS Craig Wright (May 24)
- RE: DSS Craig Wright (May 24)
- RE: PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Sheldon Malm (May 23)