RE: DSS

[Craig Wright <Craig.Wright () bdo com au>]

Secure coding.

You either test (statics code analysis at a minimum) the application

OR

Application firewall.

OR

Do not allow access (usually not an option for a web app)

Regards,
Craig


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
Sent: Friday, 23 May 2008 11:53 PM
To: security-basics () securityfocus com
Subject: PCI: DSS


Hi all,

Can anyone confirm for me what sort of workarounds there are concerning
PCI:DSS and application layer firewalls?

Requirement 6.6 of the standard states this:

6.6 Ensure that all web-facing applications are protected against known
attacks by applying either of
the following methods:
* Having all custom application code reviewed for common vulnerabilities
by an organization
that specializes in application security
* Installing an application layer firewall in front of web-facing
applications.
Note: This method is considered a best practice until June 30, 2008,
after which it becomes a
requirement.

We already have our custom code reviewed, but Im wondering if I
absolutely must sort out an application layer firewall or if there is a
workaround that would be acceptable for a level 1 merchant.

If there are any knowledgeable auditors (qsa etc) out there I'd really
appreciate your help on this one.

Many thanks
Pete


A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where 
personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails 
that ask for confidential, personal security information or details regarding your account status.

The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.

The contents of this message and all attachments have been sent in confidence for the attention of the addressee only.  
If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the 
sender immediately of the error in transmission.

"sit-up ltd, registered in England No: 03877786.
Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."