If you already have internal expertise, WAF seems a simple choice to meet your compliance requirements. But for IT security, there will never be such a simple method. For example, Web Application Firewall cannot prevent damages caused by logical defects of applications. Today's Web 2.0 applications use a lot of dynamic code. Considering the complexity of these Web 2.0 applications, logical defects can easily happen.
In the face of this situation, the benefits of code review are apparent. By solving problems at the code level, you can reduce security-related design, programming defects, or other serious hazards. Update the application version to dynamically improve the overall security of the application.
There are four code review methods that meet pci dss requirements:
• Manually review application source code
• Automatic source code analysis tools
• Manual web Application Security Vulnerability Assessment
• Automatic assessment tool for Web Application Security Vulnerabilities
Source code review may be the most thorough option. Analysts will check the exact flow of data in the program, and everything cannot escape his eyes. Analysts will consider the special attributes of the application domain, such as credit card numbers and personal data, to fully identify all security vulnerabilities.
The main disadvantage of this method is that it is time-consuming and expensive to find all the vulnerabilities in the most widely used Web applications. Technical and experienced engineers are required to have a great deal of professional knowledge in application development and security. Although the exact cost varies with Program Complexity, you may still have to pay tens of thousands of dollars for it. Keep in mind that source code review does not require maintenance and maintenance levels like the firewall (although source code review for future versions is required, however, your developers still need to be able to modify released vulnerabilities ).
If the reviewer is trained in program code evaluation and is not a program developer, his review qualifications will comply with PCI standards.
However, only large enterprises that often need to develop their own applications can economically afford dedicated code reviewers.
The PCI standard also approves "correct use of the application source code automatic analysis (SCAN) tool" and "correct use of the Web Application Security Vulnerability automatic assessment (SCAN) tool ". Although static analysis tools cannot test the extent to which applications comply with security policies, nor can they find backdoors in applications as they do with manual code reviews, however, they can shorten the time needed to review large and complex applications.
High-end products of these tools use complex functions such as data flow analysis, control flow analysis, and pattern recognition to identify potential security vulnerabilities. I am talking about the potential because the analysis results may contain a large number of false positives. The advantage is that they can analyze highly complex code and find out the issues of concern. This feature makes this type of tool worthwhile.
Code review value for money
No matter whether the code review is called "Vulnerability Assessment" or not, the code review can provide a more value-for-money approach that meets regulatory requirements. Many will argue that applications become so complex and there are many ways to be more practical than code reviews. Vulnerability assessment can reveal vulnerabilities and vulnerabilities, but these vulnerabilities may be exploited by untrusted external personnel or misused by trusted users. Similarly, problems such as unencrypted sensitive data are not detected because the application user interface is the only attack vector. In addition, testing applications in product testing environments is not necessarily feasible and often expensive.
As a compromise between self-checking code and using the Business Evaluation Suite, you can use open-source Web security testing tools. You can find many of these tools in the Open Web Application Security Project.
When you look at this market, you will find that some of the automated tools you bought can provide you with flexible services, making the review process simple and cost-effective. Outsourcing your testing work to analysis experts, such as Veracode or WhiteHat security companies, is significant in some aspects: You don't have to install or learn to use an application any more, you can also obtain useful results from professional testers.
Whether it is outsourcing testing or internal management testing, you need to remember that both are limited, and there is no restriction on attacks. For example, your supplier may not be happy to see you go deep into his network, just to determine whether you can use it to intrude into your own network. However, attackers do not hesitate.
This article from: Hongke network security official Network Security Forum http://bbs.honkwin.com