A WAF or application firewall protects your web from attacks and optimizes the performance of your web. But it is also a key element if you have to comply with PCI DSS. If you store data from your users credit cards a WAF is the ideal complement:
- A WAF acts in the deployment and start-up phase of any web development that follows a Secure SDLC (Software Development Life Cycle)
- It protects the application in cases where there is a vulnerability not detected during the development process
It is therefore the ideal element to meet the optional part of PCI Requirement 6 “Develop and maintain secure systems and applications”.
What PCI DSS requirements are related to a WAF?
The conditions that a WAF must meet to comply with PCI DSS are:
- It is configured in front of the applications to detect and prevent web attacks. Its functionality is similar to a proxy, which acts as an intermediary. In this way there will be no unsafe alternate roads that can leave the application unprotected.
- Operate actively and be updated, as appropriate.
- Generate audit logs.
- Block web attacks or to generate an alert.
Criteria for choosing a WAF if you want to meet PCI DSS
In terms of security, a WAF works as an antivirus solution. It works with attack signature patterns by analyzing the behavior and logic of HTTP traffic to prevent potential attacks. The thing to keep in mind when choosing a WAF to meet PCI DSS is:
- At a minimum, you should be able to detect the vulnerabilities listed in the OWASP Top Ten
- It must analyze different technologies related to website applications such as XML, SOAP, WSDL, XML-RPC, UDDI, JSON, etc.
- Must have constant updates
- To ensure proper behavior, you must have a very low false positive rate. This prevents you from blocking legitimate requests and affecting your business. That is why we recommend a phase of adaptation to your environment
And at this point it is where we can most help you with the protection solution of your web: the WAF plan of WeSecur.
0 Comments Leave a comment