The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security and lowest total cost of ownership (TCO), SecureSphere is the clear choice from both security and financial perspectives. If your enterprise handles credit card information, you must meet the requirements under the new Payment Card Industry Data Security Standard version 1.1 (PCI DSS), released September 2006. With PCI requirement 6.6, the brand new Web application security requirement, it s your choice you can have your code reviewed by an external company or you can install a Web Application Firewall. This paper details PCI requirement 6.6, the issues, the products involved, and the costs associated with choosing a code review versus selecting an application firewall.
The New PCI Requirement: Application Firewall vs. Code Review White Paper Executive Summary In September 2006, five major credit card companies formed the PCI Security Standards Council and issued the second version of the PCI Data Security Standard 1.1 (PCI 1.1). The new PCI standard contains a brand new requirement, 6.6, which mandates that all Web-facing applications be protected against known attacks by either submitting to an external code review or by installation of an application layer firewall. Since the first PCI standard 1.0 was released in January 2005, high-profile security breaches involving Web applications continually hit the news wire. Recently, a breach at AT&T's online store for DSL equipment resulted in the theft of cardholder information for 19,000 customers. No industry, educational institution or government agency is immune to the threat and the theft can be from inside an organization or from outside, including nearly anywhere on the globe. Researchers at Imperva s Application Defense Center have found that over 90% of Web applications have vulnerabilities. Web application vulnerabilities are the impetus behind the new Web security requirement 6.6 in PCI 1.1. Widely deployed security products including network firewalls and intrusion protection systems do not provide adequate security for Web applications. These products are useful for guarding against network level attacks or application attacks that can be defined with signatures. However, they lack the full-spectrum visibility and sophisticated analytics necessary to detect and protect against Web application attacks that can occur across layers and over time. This is why requirement 6.6 of PCI 1.1 specifies the deployment of an application layer firewall or the engagement of a third party firm specializing in application security to manually review application source code, line by line. While code review is a good idea, and is consistent with coding best practices, calling in expensive outside consultants, as required under requirement 6.6, entails significant cost, loss of flexibility, resource allocation issues, and scheduling headaches. For these reasons, many companies have found it more cost effective to practice secure coding using their own in-house resources and meet the PCI requirement by deploying a Web application firewall. For security and total cost of ownership (TCO), the Imperva SecureSphere Web Application Firewall is your best choice for meeting the new PCI requirement. With SecureSphere, your organization can expect to achieve impressive cost savings over five years. In addition to consistent security and low TCO, SecureSphere provides your organization with flexibility and greater autonomy by enabling you to determine your own project parameters, timelines, and budget for addressing application code vulnerabilities. The New PCI 6.6 Requirement Requirement 6 of PCI 1.1 states that organizations handling credit cards develop and maintain secure systems and applications. Within requirement 6, the new 6.6 requirement compels organizations to ensure that all web-facing applications are protected against known attacks by applying either of the following methods: 1. Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security 2. Installing an application layer firewall in front of web-facing applications. Compliance under 6.6 is considered a best practice until June 30, 2008 when it becomes a requirement. Some companies have already implemented this requirement as part of their security roadmap and others are starting their evaluation and selection process now in order to have their application layer firewall solutions installed in time for the deadline. Page 2 Imperva
White Paper The New PCI Requirement: Application Firewall vs. Code Review What is an Application Layer Firewall? An application layer firewall, also known as a Web Application Firewall or WAF is a network device that is placed in front of the Web applications in an organization s data center to protect against attacks. A WAF is able to view and understand the full spectrum of application traffic so that it can protect the applications and the sensitive data from illegitimate access and usage. The capabilities of the Imperva SecureSphere Web Application Firewall exceed those offered by other vendors application firewall products by delivering a greater level of sophistication and automation. SecureSphere automatically and dynamically profiles Web applications based on production traffic in order to model the structure and dynamics of all of the elements of protected applications. Then, it analyzes all Web traffic in real time, so that it accurately identifies illegitimate, unauthorized, and suspicious behavior. SecureSphere can enforce form fields, cookies, and URL parameters per Web page to protect Web applications from attacks such as form tampering, session manipulation, and SQL injection. SecureSphere operates transparently to the network, applications and databases with zero changes to the data center infrastructure. What is NOT an Application Layer Firewall? Network firewalls and intrusion detection/prevention systems (IDS/ IPS) are not application layer firewalls. While network firewalls and intrusion prevention systems are useful tools to secure your network and application infrastructure, they do not provide the level of protection that a Web Application Firewall provides. These traditional network security products can detect known intrusion signatures, but they cannot place those signatures in context because they cannot parse HTML for the individual elements, fields, JavaScript, cookies and other components of Web applications. A Web Application Firewall not only detects attack signatures, but it recognizes where the signature occurred in the HTTP transaction. In addition, each Web request is compared to the expected behavior, enabling it to correctly assess not only white lists and black lists, but also the gray signatures in order to block unknown threats. A Web Application Firewall thwarts Web-based evasion techniques by decoding and inspecting URL-encoded data. Because network firewalls and IPS products do not provide this level of security, they would not satisfy PCI requirement 6.6. Vulnerability scanners also are not a substitute for code review or an application layer firewall. As such, they are not relevant to the new requirement 6.6 in PCI 1.1. They are applicable to another requirement of PCI 1.1, requirement 11.3.2. This requirement requires penetration testing of the external application to a variety of vulnerability exploits and application attacks. IDS/IPS and network firewalls won t accurately protect against: SQL injections Cross-site scripting attacks Application specific buffer overflow attacks Parameter tampering Session hijacking Session replay Cookie injection Cookie poisoning Brute force login attempts Unknown, zero-day Web worms Illegal HTTP encoding (double encoding, malicious encoding) Site scanning and reconnaissance OS command injections in form fields XML and SOAP attacks Imperva Page 3
The New PCI Requirement: Application Firewall vs. Code Review White Paper Benefits of the Imperva Web Application Firewall Web applications are the portals to your data centers, where business critical financial information and sensitive credit card and identity data resides. The Imperva SecureSphere Web Application Firewall provides the security necessary to protect your sensitive data and enables you to check off requirement 6.6 for PCI 1.1. A single SecureSphere WAF protects multiple applications. It can be installed in hours with no impact to existing infrastructure. Because of SecureSphere s unique Dynamic Profiling capabilities, it automatically builds a complete baseline profile of your applications and network traffic in a matter of days. Using the application profile, SecureSphere can distinguish between legitimate user behavior and illegitimate behavior as well as protect from attacks. When changes are made to the applications, Dynamic Profiling technology enables SecureSphere to detect the application changes and automatically adjust its profiles accordingly. No manual intervention or tuning is necessary, keeping your on-going administrative costs far lower than other WAF products. Of course you can choose to be notified about these application changes though alerts and change logs in order to provide a closed loop for your application change control process. Patent-pending Instant Attack Validation (IAV) and Correlated Attack Validation technologies in SecureSphere contribute to an unparalleled ability to accurately identify and protect against known and zero day infrastructure attacks including complex attacks that occur over multiple layers and over time. SecureSphere not only provides improved security but it also is an automated means to achieve and document regulatory compliance. SecureSphere includes the necessary functionality and built-in and customizable reports for a wide range of regulatory compliance, including PCI, SOX, and HIPAA. The Alternative Bring in the Consultants If you decide not to deploy a Web Application Firewall such as the Imperva SecureSphere in front of Web facing applications, your organization will need to engage a specialist in Web application security to go through your Web application source code, line by line for each Web-facing application. While code review is a good idea, and is consistent with coding best practices, hiring consultants entails extra cost, loss of flexibility, resource allocation issues, scheduling headaches, and ultimately a lower grade of security than you would achieve through the deployment of a Web Application Firewall. There have been a couple of estimates as to the cost of a code review. One estimate is that the annual average cost would be about $40,000 in consulting fees for EACH small-to-medium sized Web application 1. Another estimate is that it would cost approximately $5 per line 2 of Web application code. This quickly adds up given the size of modern Web applications. Multiply these estimates by the number of Web facing applications your organization has, and the cost associated with undergoing an application code review is considerable. To begin the code review process, your IT organization needs to prepare and organize the code to present to the consultants and make themselves available for questions and requests for additional information. Once the consultants finish their code review and find vulnerabilities, your organization will need to schedule fix and test cycles to make sure the changes work. Unfortunately, that is not the end of the code review process because an individual find, fix, and test cycle does not find all of the vulnerabilities in an application. According to researchers at Imperva s Application Defense Center (ADC), at least 90% of the time there are still vulnerabilities after this process is complete. This has several causes. First, application code changes can introduce new bugs which contain security vulnerabilities. So, new vulnerabilities are introduced during the fixing process itself and more are introduced 1 Jeremiah Grossman, CTO, WhiteHat Security 2 Robert Begg, CEO, Digital Defense Page 4 Imperva
White Paper The New PCI Requirement: Application Firewall vs. Code Review as part of the normal development process of enhancing an application. Secondly, the identified vulnerabilities are often not fixed by the recoding intended to fix them. Without the proper expertise or resources, your organization may unwittingly enter into an endless and costly find, fix, and test loop that ties up your programmers and keeps consultants on your accounts payable list for months or years if the cycle extends long enough to bump into the next year s code review. An endless code review, fix, and test cycle should not be confused with continuous security. By selecting a code review, your organization also can be subject to the disruptions of consultants, thereby narrowing the time and detracting from the focus your staff requires to accomplish existing projects and initiatives. If you deployed a Web Application Firewall and your staff was in control of the code review, you would be able to schedule the fix and test cycle to synchronize with your next development cycle. With consultants, fixes happen on their time, not yours. For TCO and Security, Imperva is the Clear Choice The following chart shows the total cost of ownership (TCO) analysis for a medium-sized company that processes credit cards with two to three Web-facing applications. The table is a five year comparison of the cost of doing a code review with an external consultant versus the purchase, installation, and on-going operation of a SecureSphere Web Application Firewall. Of course, your results would differ based on the specifics your situation. You can request a custom analysis for your organization from Imperva based on the model used to create this example. Year 1 Year 2 Year 3 Year 4 Year 5 Code Review Costs $120,000 $120,000 $120,000 $120,000 $120,000 Total $120,000 $120,000 $120,000 $120,000 $120,000 Five Year Cost Pro Forma with SecureSphere 4 Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere Purchase $31,000 $0 $0 $0 $0 SecureSphere Software Main/Support $6,200 $6,200 $6,200 $6,200 $6,200 SecureSphere Administration Labor $7,100 $7,100 $7,100 $7,100 $7,100 Total $44,300 $13,300 $13,300 $13,300 $13,300 Total Cost of Ownership and Savings Present Value of TCO of Code Review $462,597 Present Value of TCO of SecureSphere $82,271 Cost savings of SecureSphere vs Code Review $380,326 % Cost savings of SecureSphere vs Code Review 82% Notes/Assumptions SecureSphere Savings is the total savings divided by the TCO of the Code Review. The present value calculation assumes payments made at the beginning of each period. 3 4 SecureSphere vs. Code Review - TCO Model for PCI Requirement 6.6 Five Year Cost Pro Forma for Code Review 3 The code review cost is based on a company with two to three medium-sized, Web-facing applications. The year 1 TCO for SecureSphere is based on a single SecureSphere appliance with MX Management Server, licensing, support, and administration labor. Subsequent years assume the cost of licensing, support, and administration labor. Actual costs may differ based on specific environments and needs. Imperva Page 5
The New PCI Requirement: Application Firewall vs. Code Review White Paper In the above scenario, a single SecureSphere Web Application Firewall provides significant cost savings in the first year. In effect, the investment pays for itself during the first year, several times over. Subsequent years serve to expand the savings margin, as the initial hardware purchase and installation has already occurred while the annual costs of code reviews recur every year. The on-going cost of a SecureSphere Web Application Firewall are very low due to the minimal need for ongoing administration and management, and the software update service that keeps the product current with new security features. The bottom line is that the benefits in terms of security and monetary investment continue to grow each year SecureSphere is deployed in your IT environment. The costs associated with the alternative choice under requirement 6.6, a code review by an outside consultant, will be high the first year and remain high every year after that. Application vulnerabilities will be with us as long as there is ongoing development from within your organization and patch releases from the vendor. The application code will never stay the same from year to year and will continue to contain the unfixed security issues, as well as new ones. Source code analysis tools may be used to speed code reviews, but these tools still require a significant amount of manual source code review. The bottom line: to be compliant with PCI 1.1 requirement 6.6 under the external code review option, you would need to undergo an annual code review of approximately the same magnitude, year after year. Summary In summary, SecureSphere not only secures critical Web applications and sensitive data, but it also significantly reduces the operational cost of maintaining a high degree of security. SecureSphere accomplishes this by eliminating the need for costly consultant-run code reviews, and the corresponding fix and test cycles. The Imperva SecureSphere Web Application Firewalls provide the necessary automation to continually protect your organization against complex Web application vulnerabilities. The sensitive data that is transacted through your business critical Web applications is protected from within your organization and throughout your organizations wider network of customers, partners, and affiliates. The calculated savings are significant. They show that the investment in SecureSphere pays for itself in the first year and after five years shows a comparatively small TCO. If you would like to apply this TCO analysis to your own organization, please call Imperva at +1-866-926-4678 or send an e-mail to sales@imperva.com. For More Information For more information on the Imperva SecureSphere Web Application Firewall see http://www.imperva.com/products/securesphere/web_application_firewall.html. US Headquarters International Headquarters 950 Tower Lane 12 Hachilazon Street Suite 1550 Ramat-Gan 52522 Foster City, CA 94404 Israel Tel: +1-650-345-9000 Tel: +972-3-6120133 Fax: +1-650-345-9004 Fax: +972-3-7511133 2006 Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders. WP_PCI-AFWvCR1206.02 Page 6 Imperva