Organizations handling credit cards feel pressure building as the deadline for
PCI Requirement 6.6 compliance [1] has passed and well documented
breaches have heightened the public and regulatory agencies' concerns
about how well companies are securing consumer-specific information.
Despite some initial advances, sensitive in-
formation is still frequently stolen. Internal
threat an issue, magnified by extended part-
nerships which ultimately lead to more tasks
will be performed outside company facilities.
In increasingly complex technical and busi-
ness environments, no one security approach
can deal with all the new and innovative intru-
sions. However, the lack of a security silver
bullet doesn't mean data security is impossi-
ble. It simply means that businesses have to
take a multi-pronged approach to data secu-
rity.
This article is based on a project case study in
protecting an enterprise application environ-
ment, including web-oriented applications. The
article is PCI 6.6-oriented and compares the
use of Web Application Firewalls (WAF) or
code reviews for web-facing applications. It
also addresses code scanning that is not web
related. Extending the code reviews into the
non-web applications, we also briefly discuss
other types of protections. Other articles al-
ready discussed how to protect from SQL In-
jection into the database, or internal threats,
including a DBA that impersonates a user.
The section "Protecting the data flow" includes
a few pointers to resources discussing protec-
tion of the enterprise data flow. The code re-
view section is longer since this is an evolving
area from a PCI perspective focusing on WAF
and complementary code scanning.
This article will compare WAF and web-based
code reviews, and point to resources [15] dis-
cussing the whole data flow, which then in-
volves much more than C/C++ code scanning.
www.insecuremag.com