PCI DSS compliance: Web application firewall or code review?

id:ikepyonw(Security Entries by Date - (CGISecurity.com)経由)

結局は、WAFかコードレビューか、ツールかみたいになってるみたいですね>PCI DSS

On June 30, Requirement 6.6 of the Payment Card Industry (PCI) Data Security Standard (DSS) -- whose goal is to ensure that Web-facing applications are protected against known attacks by either completing a code review or installing a Web application firewall (WAF) -- moves from a best practice to a requirement.
In April, the PCI Security Standards Council, which oversees the standard, issued clarifications to 6.6, spelling out more clearly what a WAF needs to do, while at the same time breaking out four alternatives for doing a code review. Security professionals say the clarifications are a move in the right direction, but warn that as with any standard, there are limitations, and companies will still face some hurdles to meet the deadline if they are not already well on their way


What companies will have to do to be in compliance with Requirement 6. 6 is implement one of two options to protect Web applications. The first is a code review, and there are now four alternatives for doing a code review:

  • Manual review of application source code
  • Proper use of automated source code analyzer tools (scanners)
  • Manual web application security vulnerability assessments
  • Proper use of automated Web application security vulnerability assessment tools (scanners)