6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
• Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic.
6.6 For public-facing web applications, ensure that either
one of the following methods is in place as follows:
• Examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed—using either manual or automated vulnerability security assessment tools or methods—as follows:
◦ At least annually
◦ After any changes
◦ By an organization that specializes in application security
◦ That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment
◦ That all vulnerabilities are corrected
◦ That the application is re-evaluated after the corrections.
• Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows:
◦ Is situated in front of public-facing web applications to detect and prevent web-based attacks.
◦ Is actively running and up to date as applicable.
◦ Is generating audit logs.
◦ Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices.
• Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities
• Web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks.
Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team.