Wednesday, August 22, 2007

OnSecurity podcast: taking issue with PCI DSS Web Application Firewall Requirements

I already have noted that equating a web app firewall to a security source-code-reviewed and threat-modeled application is ridiculous.  Dinis Cruz will remind you that the most devastating web application flaws are business logic flaws that none of these devices will find.  Even web application scanners are ineffective for most things beyond low hanging fruit.

Holes in the Firewall?

Holes in the Firewall?
Are there shortcomings in the application layer firewall requirements
set by the PCI Security Standards Council? Paul Henry, vice president
of technology and evangelism at Secure Computing Corp., thinks so, and
explains to Lisa Vaas in the OnSecurity podcast.

No comments:

Post a Comment