Organizations handling credit cards feel pressure building as the deadline for
PCI Requirement 6.6 compliance  has passed and well documented
breaches have heightened the public and regulatory agencies' concerns
about how well companies are securing consumer-specific information.
Despite some initial advances, sensitive in-
formation is still frequently stolen. Internal
threat an issue, magnified by extended part-
nerships which ultimately lead to more tasks
will be performed outside company facilities.
In increasingly complex technical and busi-
ness environments, no one security approach
can deal with all the new and innovative intru-
sions. However, the lack of a security silver
bullet doesn't mean data security is impossi-
ble. It simply means that businesses have to
take a multi-pronged approach to data secu-
This article is based on a project case study in
protecting an enterprise application environ-
ment, including web-oriented applications. The
article is PCI 6.6-oriented and compares the
use of Web Application Firewalls (WAF) or
code reviews for web-facing applications. It
also addresses code scanning that is not web
related. Extending the code reviews into the
non-web applications, we also briefly discuss
other types of protections. Other articles al-
ready discussed how to protect from SQL In-
jection into the database, or internal threats,
including a DBA that impersonates a user.
The section "Protecting the data flow" includes
a few pointers to resources discussing protec-
tion of the enterprise data flow. The code re-
view section is longer since this is an evolving
area from a PCI perspective focusing on WAF
and complementary code scanning.
This article will compare WAF and web-based
code reviews, and point to resources  dis-
cussing the whole data flow, which then in-
volves much more than C/C++ code scanning.