Application Security for Every Scale
my.defence
Cloud computing was not designed for security, although organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are making great strides in helping the industry solve the myriad security problems confronting cloud computing. The benchmark guidelines established by the CSA in the document, Guidance for Critical Areas of Focus in Cloud Computing, is a great first step. This white paper is intended to pick up where the CSA guide left off in terms of defining what a distributed web application firewall (dWAF) should look like in order to meet the standards set within the CSA document.
Products hyperguard Compliance with PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) was established by the PCI Security Standards Council which consists of the leading credit card organisations. The Standard details security requirements for storing, processing or transmitting cardholder data. The latest version 1.2 was released in October 2008.
Merchants and (IT-)Service Providers who process or store credit card data are advised to comply with PCI DSS. Non-Compliance will lead to increasing transaction costs and/or fines or claims for damages (depending on the size of the organisation).
PCI Requirement 6.6 became compulsory in July 2008 saying:
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
Additionally since PCI DSS V 1.2 Source Code Reviews are obligatory for internal and external applicactions on a regular basis. Compliance with these requirements is either involved with a lot of manual work and hence high labour costs or alternatively you comply with these requirements by using (semi-)automated tools. In the current Information Supplement: Requirement 6.6, an ‘application firewall’ is defined as ‘… a web application firewall (WAF), which is a security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components. …’ The products of art of defence help you to comply with PCI DSS. Due to the products high efficiency and ergonomics they secure Web applications easily and at preferably low costs.
The Web Application Firewall hyperguard provides protection for Web Applications in use according to PCI Section 6.6. The integrated logging-functions in hyperguard are conform to PCI-Audit-Requirements for security-products as described in section 10.2, 10.3 and 10.6.
The Web Source Code Analyzer hypersource supports you with code reviews (PCI DSS 6.4.7) and provides a different way to secure Web applications (as already mentioned in PCI-Requirement 6.6.)
Everybody, who stores credit card owner's data, processed and/or transmitted, has to keep with the security standards of the PCI DSS. Therfor the dimension of the organisation, retailer, service provider and the amount of card transactions is irrelevant. Due to the amount of yearly card transactions retailers are classified into different categories.
Level 1: Retailer with more than 6 billion card transactions p.a./card label over all distribution channels and retailer whose card specific customer data have already been compromised
Level 2: Retailer with 1-6 billion card transactions p.a./card label over all distribution channels.
Level 3: Retailer with 20.000 to 1 billion card transactions in E-Commerce p.a./card label.
Level 4: All other retailers
Dependent on their category retailer have to pass different external and internal audits Scans, Audits), to reach PCI-Compliance (Realisation/Compliance of the PCI DSS) and to sustain permanently.