Information Security Leader, Author, Instructor and Speaker

WAFs, SDLC and PCI Compliance

Posted on September 4, 2012 in Articles | by

Web applications remain one of the most vulnerable parts of our computing infrastructure.  We’ve taken extraordinary measures over the past decade to shore up our network security and system security, but web applications have generally been left behind.  The complexity of web applications combined with a lack of awareness among developers leads to a woeful state of vulnerability to SQL injection, cross-site scripting (XSS) and other attacks.  Estimates from WhiteHat indicate that it would take the banking industry alone 400 days to patch 90% of the flaws in their applications.

One potential solution to this dilemma is the use of compensating controls to safeguard against existing and future application flaws.  Web application firewalls (WAFs) fit this bill.  These devices, like traditional network firewalls, monitor traffic coming into a network with a specific emphasis on the requests headed to web servers.  They perform deep content inspection on these requests, looking for HTTP commands that violate an organization’s security policy and/or include potentially malicious code, such as a SQL injection attack.

Originally published on, Sept 04, 2012
TAGS: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography