Securing Your Web Site: The Wild Goose Chase
The revised Payment Cards Industry Data Security Standard (PCI-DSS) that was released recently did not provide any ground-breaking news regarding the requirement for the protection of publicly-facing web applications against vulnerabilities and web-application attacks. Theoretically, merchants that are bound to PCI-DSS compliance still have two options: Either use an automated technical solution (this is the new term the PCI Security Standards Council gives to Web Application Firewalls) to protect the merchant's publicly facing Web applications; or alternatively, merchants can review all of their public-facing web applications with vulnerability security assessment tools and ensure that there are no known vulnerabilities.
Here lies the difference between theory and reality. PCI requires merchants to review their web applications after each change (or at least once annually). This turns the vulnerability assessment and fixing process into a non-practical solution. To better understand this, let's refer to the 2013 WhiteHat Web Site Security Statistics Report. In that survey, 91 percent of e-retail sites that were analyzed had at least one serious vulnerability. On average, e-retail web sites had 106 serious vulnerabilities per year. The most interesting data point from this report is that it took 224 days to fix these vulnerabilities.
This has several implications. If it takes 224 days to fix these vulnerabilities, this means that for almost two-thirds of the year the site is vulnerable to attacks and is not compliant with PCI-DSS requirements. More importantly, reading further in the WhiteHat's report, we find out that 60 percent of the e-retailers change their applications once a month, and 40 percent of e-retailers update their sites once a week or more. This means that it takes more than seven months to fix the vulnerabilities, while applications are changing, which in turn, can potentially create new vulnerabilities on a daily, weekly or monthly basis.
Don't get me wrong. I'm all for secure development of web sites and applications. I feel web sites should be scanned for vulnerabilities and, once found, they should be fixed. However, this can be a little complicated. If you are part of the security group on the retailer's side, you are not always aware of changes the application team is making. Even if you are aware, the code is sometimes written by a third party, or it is a legacy code that no one knows how to change anymore.
The bottom line: Building your website security infrastructure on vulnerabilities scanning and fixing is not practical. Making your PCI-DSS compliance rely on scanning and fixing may cause your company not to pass PCI-DSS audits and not to comply with the regulation.
Complying with PCI-DSS requirements for secure Web applications (requirement 6.6) and securing your Web application only has one practical solution: Web Application Firewall (or to follow the new term used by the PCI Security Council - "automated technical solution.") All WAF solutions offer web protection at the application level, most of them comply with the Open Web Application Security ProjectÂ (OWASP)Â Top Ten Threats, and they all offer a combination between Positive and Negative security models.
On the other hand, WAF solutions are known to consume lots of application management resources (that's you and your workers). This is where the difference between a practical WAF solution and a not-so-practical one lies. One of the key selection criteria for your next WAF solutions should be the ability to automatically adapt the solution's protection policies without human intervention and with as few as possible false-positives and false negatives.
With so many rapid changes, the automatic ability to adapt the WAF policies is the only way to ensure that your site is protected even as it is evolved and changed, without investing too many resources in keeping its security mechanisms up to date. It allows alignment of the Web application life cycle development process with the protection process. It ensures that the Web application security is applied in a timely manner and enables protection while applying new changed.
With 15 years of experience in the info-security market, Motty is responsible for the product marketing activities of Radware's security products division. Motty shares his knowledge on various aspects of the info-security market through speaking engagements at industry conferences and as a guest writer in several info-security blogs. His focus is application and network security and the latest ways to protect companies from emerging threats. At Radware, Motty is responsible for building Radware's security product-line's go-to-market strategy as well as analyst and media briefings.