Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
1
Replies

ASA-SSM and PCI Compliance

smith.jonathan
Level 1
Level 1

‎01-14-2011 11:07 AM - edited ‎03-10-2019 05:14 AM

Is it possible to configure the IPS module to meet PCI DSS requirements for sections 6.5 and 6.6, along with the top 10 OWASP?

Labels:
0 Helpful
1 Reply 1

Christopher Dreier
Level 3
Level 3

‎01-15-2011 07:35 PM

Hello Jonathan,

I am not a PCI expert. So I don't know how literal these requirements are to be taken. If they are to be taken word-for-word, the IPS cannot ensure that applications are developed based on secure coding guidelines. It cannot prevent common coding vulnerabilities. (6.5) The IPS is also not a "firewall," even though it can drop traffic. (6.6)

With the above stated, the IPS can protect against exploitation of many different vulnerabilities, should they exist in your code. You can review the signatures available for particular exploits/vulnerabilities in the IPS GUI (IDM or IME), or at http://www.cisco.com/security

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

PCI

6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:

6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

6.5.2 Buffer overflow

6.5.3 Insecure cryptographic storage

6.5.4 Insecure communications

6.5.5 Improper error handling

6.5.6 All “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).

6.5.7 Cross-site scripting (XSS)

6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, and directory traversal)

6.5.9 Cross-site request forgery (CSRF)

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes

Installing a web-application firewall in front of public-facing web applications

The OWASP Top 10 Web Application Security Risks for 2010 are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card