The clarification document is available here: https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf
A few comments:
We are very pleased that the document highlights the value of defense in depth strategies.
While it specifies that testing can be performed by internal resources, so long as they are independent from the development organization, it also clarifies the role of 3rd party testing organizations like QuietMove:
”While the final sign-off/approval of the review/scan results must be done by an
independent organization, it is recommended that reviews and scans also be performed
as early as possible in the development process. Tools should be made available to
software developers and integrated into their development suite as much as practical.”
The Web Application Firewall product selection and configuration criteria are also defined in depth.
Bravo to PCI SSC for clarifying these requirements.
Did you enjoy this article? Please subscribe to our our RSS feed or Security Alerts email list.
Comments on this entry are closed.