PCI-DSS 6.6 – Why a WAF?

PCI-DSS 3 states:

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.

So what is a WAF? A WAF, or “Web Application Firewall” is an application or service that provides a specific set of security measures designed to protect Web Applications from common attacks.

A web application firewall will protect against application level attacks such as SQL Injection and Cross Site Scripting which are typically not protected using traditional layer 3 firewalls. Organisations should place a WAF in front of their externally facing applications to prevent these types of attacks from successfully being performed resulting in network compromise.

Image (courtesy of Dell Secureworks) shows where a WAF is typically placed on a network:



In 2013, SQLI was rated the number one attack on the OWASP top ten. It is commonly used by attackers to gain access to backend database information such as customer details (potentially including credit card numbers) or gain access to the internal network, depending on the backend database type and configuration.

Organisations should perform detailed selection criteria before purchasing a WAF for their organisation. The cost and performance abilities differ greatly between WAF vendors.

The Open Web Application Security Project (OWASP)—an open community focused on improving the security of application software—suggests the following selection of criteria for WAFs:
• Very few false positives (i.e., should never disallow an authorized request);
• Strength of default (out-of-the-box) defenses;
• Power and ease-of-learn mode;
• Types of vulnerabilities it can prevent;
• Ability to keep individual users constrained to exactly what they have seen in the current session;
• Ability to be configured to prevent specific problems, such as emergency patches;
• Form factor: software versus hardware (hardware generally preferred).

The leading WAF in 2014 according to Gartner is Imperva followed closely by F5:

WAF - Gartner