Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: PCI: DSS

Re: PCI: DSS

From: Adriel Desautels <adriel_at_netragard.com>
Date: Fri, 23 May 2008 11:00:07 -0400

Pete,
        You could try using ModSecurity. Its fast, free and effective at
protecting web applications.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

Hill, Pete wrote:
>
> Hi all,
>
> Can anyone confirm for me what sort of workarounds there are concerning
> PCI:DSS and application layer firewalls?
>
> Requirement 6.6 of the standard states this:
>
> 6.6 Ensure that all web-facing applications are protected against known
> attacks by applying either of
> the following methods:
> * Having all custom application code reviewed for common vulnerabilities
> by an organization
> that specializes in application security
> * Installing an application layer firewall in front of web-facing
> applications.
> Note: This method is considered a best practice until June 30, 2008,
> after which it becomes a
> requirement.
>
> We already have our custom code reviewed, but Im wondering if I
> absolutely must sort out an application layer firewall or if there is a
> workaround that would be acceptable for a level 1 merchant.
>
> If there are any knowledgeable auditors (qsa etc) out there I'd really
> appreciate your help on this one.
>
> Many thanks
> Pete
>
>
> A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails that ask for confidential, personal security information or details regarding your account status.
>
> The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.
>
> The contents of this message and all attachments have been sent in confidence for the attention of the addressee only. If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the sender immediately of the error in transmission.
>
> "sit-up ltd, registered in England No: 03877786.
> Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
> Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
>
Received on May 23 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]