Profense™ provides full PCI DSS 2.0 section 6.5 and 6.6 compliance.
Every company today has a presence on the Internet. The number of web applications (e-commerce, extranet,
content management system, etc.) is increasing, and their growing importance to all aspects of business is obvious.
But it is estimated that 70% of current web applications are still open to attack.
While IT professionals work to secure the network perimeter, web applications continue to remain vulnerable.
Web application vulnerabilities threaten not only the organization running the application,
but also visitors to these websites. These visitors may lose their privacy.
Regulators are therefore increasingly requiring companies to secure their web applications and thus to purchase
web application firewalls, such as Armorlogic's Profense.
Sarbanes Oxley, the Gramm-Leach-Bliley Act, HIPAA, the UK Data Protection Act,
Payment Card Industry Data Security Standard (PCI-DSS), and other regulation require companies, throughout the world,
to protect the web-based data which they control
In particular the updated standard for securing websites accepting major credit cards,
The Payment Card Industry Data Security Standard (PCI DSS 2.0),
is very specific and prescriptive about web application security. In section 6.6 it requires that either
- an application layer firewall is in place protecting web facing applications, or
- that web facing applications are tested by web security specialists.
Other standards are less prescriptive but PCI-DSS is likely to set the future standards of website security as it will serve as a guideline for auditors evaluating the strength of a company's security provisions.
Of course, from a technical standpoint, the best option would be to go for both (securiy testing and application firewall) but from a business perspective a
lot of companies are likely to choose one of the options as only one is required, especially when they have to choose
between $25K+ options, with high re-occurring cost.
Choosing the application firewall path, one option is to go for do it yourself manually configured open source
application firewall solutions. For some it will work but as applications and website content tend to change over time
(sometimes without the security administrator knowing it) the policy needs to be adjusted to reflect changes. Also this solution requires
that the security administrator is skilled at regular expressions and that he/she has the complete picture of the
web sites and applications including all input options.
There is no such thing as a free lunch and the price of the open source solution is a lot of time spent creating and adjusting the policy.
Another option is to go for an automated appliance based solution which will automatically learn normal application behaviour and
configure a policy allowing normal application use. These solutions will provide excellent protection but a lot of companies are put off by the price tag.
What is special about Profense™?
Clearly, for a lot of companies the perfect solution would be an affordable automated solution allowing for fast track implementation of web application security.
That's Profense™. It fits the gap between the "hard to manage and configure" and the expensive automated solutions allowing
for a more balanced approach in terms of time/money spent on the solution. There may even be money left for application security testing.
Some reasons for Armorlogic being able to offer Profense™ at such attractive prices are that:
- Profense is a "do it yourself appliance". We provide an ISO image with a complete package including a minimalized OS (OpenBSD) which will turn a piece of server hardware into an appliance. Thus Armorlogic does not have to spend money on specialized hardware.
- Others have done a lot of work for us making high quality Open Source software (OpenBSD, Apache, OpenSSL, etc.).
- We rely on high numbers instead of high margins.
Learn more about Profense™ or