"Implementing Deny All Web Application Firewall was the most efficient and cost effective solution to comply with the PCI DSS Standard and to secure our growing number of web applications. Deny All WAF solution was the easiest to deploy, configure and replicate of the solutions we looked at. "

 

Petri Vuontela, Director, Customer systems at Aktia

Want to make your Web Applications PCI DSS-Compliant ?

 

Join our PCI DSS Expert for an educational webinar about WAF benefits and customer best practices.

Forensic analysis of compromised cardholder data has shown that Web applications are frequently the initial point of attack on cardholder data, through SQL injection in particular.

 

PCI DSS Requirement 6.6 provides two options that are intended to address common threats to cardholder data and to ensure that input to Web applications from trusted environments is inspected "top to bottom": Application code review or Web Application firewalls (WAF).

 

The minimum vulnerabilities to be protected against are described in Requirement 6.5 or The OWASP Top 10, which is considered as a reference list of the most current critical web applications threats.

 

However, with both options being considered as Best Practices, it is clear that Web Application Firewalls are the most cost-effective option for complying with the PCI DSS 6.6 requirement and providing essential security.


Deny All WAF solution combines a state-of-the-art security level with global application delivery features such as acceleration functions with Web services and XML protection. This comprehensive feature set makes Deny All WAF solution the best product to comply with PCI-DSS 6.6.

 

 

"Implementing Deny All Web Application Firewall was the most efficient and cost effective solution to comply with the PCI DSS Standard and to secure our growing number of web applications. Deny All WAF solution was the easiest to deploy, configure and replicate of the solutions we looked at."

 

Petri Vuontela, Director, Customer systems at Aktia Bank

In the context of Requirement 6.6, an application firewall is a Web Application Firewall (WAF), which is a security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server. It may be a stand-alone device or integrated into other network components.

 

WAFs are designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.

 

IP packet structure follows a layered model, with each layer containing defined information that is acted upon by specific network nodes or components (physical or software-based) supporting the flow of information through the Internet or intranet. The layer containing the application-processed content is called the application layer. Increasingly, WAF technology is integrated into solutions that include other functions such as packet filtering, proxying, SSL termination, load balancing, object caching, that only serve to reinforce their cost effectiveness.

 

It is important to note that compliance is not assured by merely implementing a product with the capabilities described in this paper. Proper positioning, configuration, administration, and monitoring are also key aspects of a compliant solution.