Академический Документы
Профессиональный Документы
Культура Документы
November 2008
Table of Contents
1.
General .............................................................................................................. 3
2.
3.
2.1.
2.2.
White Paper
Page 2
1. General
.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the
major credit card companies as a guideline to help organizations that process card
payments prevent credit card fraud, hacking, and various other security issues. A
company that processes, stores, or transmits credit card numbers must be PCI DSS
compliant or they risk losing the ability to process credit card payments. Merchants and
Service Providers must validate compliance with an audit by a PCI DSS Qualified Security
Assessor (QSA) Company.
PCI DSS Requirement 6.6 provides two options that are intended to address common
threats to cardholder data, and ensure that input to Web Applications from untrusted
environments is inspected top to bottom.
The minimum vulnerabilities to consider are described in Requirement 6.5 in the PCI DSS
version 1 document. In the context of Requirement 6.6, an application firewall is a Web
Application Firewall (WAF), which is a security policy enforcement point deployed between
a Web Application and the client end-point.
This document details how Radwares AppWall Web Application Firewall addresses all
requirements and recommendations as detailed in the following documents:
1. Payment Card Industry (PCI), Data Security Standard, Version 1.1
2. Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls
Clarified.
The PCI DSS requirements and recommendations and how AppWall addresses them are
presented in tables that should assist you in assessing and comparing the capabilities of
the Radware solution.
Note: This paper is not intended to give an overview of AppWall as a whole product. A
detailed solution overview is available on Radwares Web site at www.radware.com. In
addition, a frontal review of AppWall can be scheduled with Radware sales
representatives, product marketing or product management staff.
White Paper
Page 3
Radware Protection
White Paper
Page 4
Radware Protection
White Paper
Page 5
Radware Protection
Fail-open (a device that has failed allows traffic to AppWall is a reverse proxy which by definition
pass through uninspected) or fail closed (a
cannot be fail-open.
device that has failed blocks all traffic),
depending on active policy.
Note: Allowing a WAF to fail open must be
carefully evaluated as to the risk of exposing
unprotected Web Applications to the public
Internet. A bypass mode, in which absolutely no
modification is made to the traffic passing
through it, may be applicable in some
circumstances. (Even in fail open mode, some
WAFs add tracking headers, clean up HTML that
they consider to violate standards, or perform
other actions. This can negatively impact
troubleshooting efforts.)
In certain environments, the WAF should support SSL, SSL Client Certificates and proxying client
Secure Sockets Layer (SSL) client certificates and authentication are supported both using
proxying client authentication via certificates.
AppDirector and natively on AppWall.
Many modern Web Applications use client SSL
certificates to identify end users. Without this
support, these applications cannot reside behind
an application firewall. Many modern application
firewalls will integrate with Lightweight Directory
Access Protocol or other user directories and can
even perform initial authentication on behalf of
the underlying application.
White Paper
Page 6
Additional Considerations
Radware Protection
Since AppWall is a Reverse Proxy, original clientside IP addresses can be placed in an XForwarded-For HTTP Header according to the
practical de-facto convention.
White Paper
Page 7
2.2.
PCI DDS section 6.5 provides Web Application development guidelines that are referred to in
section 6.6 as minimal WAF requirements. All of these requirements are the same as
presented in the OWASP top 10 detailed in Addressing OWASP Top Ten with AppWall section,
where we explain how AppWall covers all of the OWASP Top 10 Requirements.
From PCI DSS, version 1.1, Section 6.5:
Develop all Web Applications based on secure coding guidelines such as the Open Web
Application Security Project guidelines. Review custom application code to identify coding
vulnerabilities. Cover prevention of common coding vulnerabilities in software development
processes, to include the following:
6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and
session cookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (for example, structured query language (SQL) injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management
All the vulnerabilities and threats mentioned above are covered in Addressing OWASP Top Ten
with AppWall.
White Paper
Page 8
what are the most critical Web Application security flaws. Project members include a
variety of security experts from around the world who have shared their expertise to
produce this list. OWASP urge all companies to adopt the standard within their organization
and start the process of ensuring that their Web Applications do not contain these flaws.
Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the
software development culture within your organization into one that produces secure code.
The following table summarizes the OWASP Top Ten vulnerabilities in Web Application
security, classified by OWASP:
OWASP
Vulnerability
Class
Radware Protection
A1 Unvalidated
Input
A2 Broken
Access Control
A3 Broken
Authentication
and Session
Management
A4 Cross Site
Scripting
A5 Buffer
Overflow
White Paper
Page 9
A7 Improper
Error Handling
A8 Insecure
Storage
A9 Application
Denial of Service
(DoS)
A10 Insecure
Configuration
Management
White Paper
Page 10
2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks
of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed
in the U.S.A.
White Paper
Page 11