- 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications, to continually check all traffic.
Requirement 6.6 of PCI DSS v3.2 also includes the following additional guidance:
- Web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks.
The second bullet point of PCI DSS requirement 6.6 and the additional guidance are fully met when you deploy KEMP LoadMaster with our Web Application Firewall (WAF) and AFP (Application Firewall Pack) rule subscription. WAF works in conjunction with traditional security infrastructure, like firewalls and intrusion detection systems by adding the ability to inspect inbound and outbound network traffic at the application layer (Layer 7) of the network stack. Operating at Layer 7 and using the ability to open and inspect inbound application traffic, even if encrypted, allows for known threats to be detected and blocked. Known threats are always changing, and it can be hard for busy system administrators to keep up to date with the evolving threat landscape. To assist with this task the AFP subscription automatically provides a daily update of threat definitions to protect PCI DSS systems as fully as possible. These new threat definitions are created by security experts so that IT support personnel don’t have to be up to date every day on the latest threats. The included rules protect against the common vulnerabilities outlined in the OWASP top 10 list, and also against new and emerging threats.
Custom rules can also be deployed as required. Thus the process based guidance in PCI DSS 6.6 is covered. If a new threat is emerging then IT staff in the organization delivering the PCI DSS systems don’t have to wait for updates. They can develop and deploy their own threat protection rules. When developing these rules it is possible to run WAF in Passive mode so that events are just logged rather than acted upon. This allows applications to be characterized to determine the best rules to protect them. Once the application rules have been validated and tested, they can be activated by placing the WAF in Active mode. In Active mode suspicious events are logged and the application traffic is not delivered.
In addition to the inbound protection provided by WAF, it can also provide outbound protection to stop sensitive information leaking from an organization. Rules can be added to inspect outgoing network traffic to prevent data such as personally identifiable information, credit card numbers, or any other sensitive data that you define from being transmitted over the network. This is invaluable when operating in regulated sectors like the PCI-DSS financial sector.
KEMP LoadMaster with WAF comes with predefined configuration templates to ensure that it is configured correctly. In addition KEMP Professional services have experience from over 40,000 LoadMaster deployments and are available to assist IT Administrators in PCI DSS compliant organizations with the setup and ongoing management of the required web application firewall infrastructure. As a note in the Guidance section of requirement 6.6 says:
- Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team.
KEMP Professional Services are just such “an organization that specializes in application security” and are ready and eager to help you meet your PCI DSS needs for 6.6 and other IT related requirements.