Application Firewalls

I was re-reading the VISA CISP data security standards documentation and reminding myself firstly, of what an enjoyable read this is, and secondly of some of the recent new clauses put in to entertain us. Clause 6.6 (on page 8 of the document) states that application layer firewalls are “considered best practice until June 30, 2008, after which it becomes a requirement.”

Once I returned from buying shares in various application firewall vendors I re-thought the merits of this clause and whether or not it is really something that should be a requirement.

I know from experience that application firewalls have their place. For example, take an instance where you have a vulnerable web product and need a quick fix for multiple problems. Sure, the underlying problems still remain but in the meantime you have defences in place that work to mitigate the immediate risks. So the device becomes the proverbial rug that the dust gets swept under. However, CISP are requiring implementation of a device regardless of the risk status which means that you have to find the budget, find a person to perform the administration and management of a device that needs to be updated with new rulesets each time you perform an application change, and then plan upgrades and replacements to this device throughout the entire lifecycle of your product.

Surely if you have applied all of the previous mandatory clauses in the CISP documentation then you will have, in my opinion, mitigated most of the product related risks to a pretty substantial degree, demonstrated due-diligence and have a secure product. I don’t believe that the addition of the firewall buys much extra risk mitigation in this instance.

As you will learn, I’m a believer in process before technology and not trying to solve problems before you understand their causes – and I think that this requirement is overkill. What do you think?