[PCI DSS 1.x] 6.6 Ensure that all web-facing applications are protected against known attacks by either of the fol

6.6 For web-based applications, ensure that one of the following methods are in place as follows:

  • Verify that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was re-evaluated after the corrections
  • Verify that an application-layer firewall is in place in front of web-facing applications to detect and prevent web-based attacks

dotDefender - Web Application Firewall

[LEFT][FONT=TimesNewRomanPSMT]In order to overcome these challenges, Israel-based Applicure through its [/FONT][FONT=TimesNewRomanPSMT]product dotDefender v 3.6 has come out with a novel solution to secure applications across various sectors such as banking, telecom, and IT. Applicure dotDefender v 3.6 [/FONT][FONT=TimesNewRomanPSMT]is a multiplatform centrally managed Web application firewall software plug-in that provides functionality that was previously available only in hardware appliances or for individual platforms. dotDefender uses a rule-based security model that is simple to configure, and can apply Web protection immediately, without requiring a long learning period. Additionally, rule-based security makes for efficient maintenance [/FONT][FONT=TimesNewRomanPSMT]because it generates few false positives. This rule-based Web application firewall monitors and blocks attacks against Websites and Web applications.[/FONT][/LEFT]

[LEFT][FONT=TimesNewRomanPSMT][FONT=TimesNewRomanPSMT]dotDefender complements the network firewall and other network-based [/FONT][FONT=TimesNewRomanPSMT]internet security products by intercepting seemingly legitimate users attempting to use the web application to commit fraud, or gain access to valuable and confidential information. dotDefender is a Website security software product that delivers excellent return on investment (ROI) through reasonable cost and simple deployment and maintenance, combined with effective web security. Residing on the Web server, [/FONT][FONT=TimesNewRomanPSMT]dotDefender can be installed and implemented in minutes without influence on traffic or network architecture. The dotDefender Website protector comes with a predefined set of internet security rules for out of the box best practices website protection. Automatic live update ensures Website security that is ready to counter the latest malicious attacks.[/FONT][/LEFT]

[LEFT][FONT=TimesNewRomanPSMT][FONT=TimesNewRomanPSMT]The technology complements the network firewall and other network security products by intercepting seemingly legitimate users attempting to use the Web application to commit fraud, or gain access to valuable and confidential information.[/FONT]
[FONT=TimesNewRomanPSMT]It provides a broad attack coverage including Web application attacks and session attacks, including SQL injection, cross-site scripting and other assaults. With dotDefender v3.6 Applicure has developed the largest out of the box rules base available to enterprises today, providing the highest level of protection against Web server/Web application attacks.[/FONT][/LEFT]

[LEFT][FONT=TimesNewRomanPSMT]You can check their website at: http://www.applicure.com [/FONT]


dotDefender - Web Application Firewall

Hi Tom,

Could you suggest some other WAFs we could perhaps look at?



I have a question relating to the words used in this question in relation to the words used in 1.1.3. In 1.1.3 the question specifies ‘internet’ facing while question 6.6 uses the term ‘web-facing’. As an auditor I see this as two separate meanings.

An Internet facing firewall or web server is one which is connected to the Internet and not behind a NAT.

A Web-facing application is any web application that might be used regardless of where it’s located.

This is just my interpertation I could be wrong. In this case the Web-facing application is behind a NAT with a firewall at the gateway but no firewall in front of the web-facing application which processes the critical data. Should there be a firewall in front of this web-facing server or would the gateway fw be sufficient?

IIS Lockdown and URLScan

Hi everyone

Could anyone say if IIS Lockdown and URLScan meet the requiriments of PCI 6.6?

Thanks in advance!