Profense PCI DSS Compliance
Recommended capabilities
According to Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified from PCI security Standards Council a web application firewall should be able to:
| PCI DSS requirement | Profense capabilities | Profense™ | Profense™ Base |
| Meet all applicable PCI DSS requirements pertaining to system components in the cardholder data environment. | See PCI DSS requirements pertaining to system components in the cardholder data environment below. | • | º |
| React appropriately (defined by active policy or rules) to threats against relevant vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI DSS Requirement 6.5. | Profense provides defenses against all of the OWASP Top Ten application vulnerabilities.For more information read OWASP Top Ten defenses. | • | |
| Inspect web application input and respond (allow, block, and/or alert) based on active policy or rules, and log actions taken. | Profense inspects all incoming web traffic and responds by enforcing the applicable security policy to allow or log and block or alert on the events. | • | • |
| Prevent data leakage – meaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken. | Server response rewriting allows for completely configurable policies matching and rewriting confidential data like Payment Card Numbers, Social Security Numbers, etc. | • | |
| Enforce both positive and negative security models. The positive model (“white list”) defines acceptable, permitted behavior, input, data ranges, etc., and denies everything else. The negative model (“black list”) defines what is NOT allowed; messages matching those signatures are blocked, and traffic not matching the signatures (not “black listed”) is permitted. | Profense supports positive and negative filtering and combinations thereof. | • | • |
| Inspect both web page content, such as Hypertext Markup Language (HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the underlying protocols that deliver content, such as Hypertext Transport Protocol (HTTP) and Hypertext Transport Protocol over SSL (HTTPS). (In addition to SSL, HTTPS includes Hypertext Transport Protocol over TLS.) | Profense inspects all of the content types and protocols mentioned. | • | • |
| Inspect web services messages, if web services are exposed to the public Internet. Typically this would include Simple Object Access Protocol (SOAP) and eXtensible Markup Language (XML), both document- and RPC-oriented models, in addition to HTTP. | Profense supports inspection of XML based web services requests including SOAP and XML RPC.XML based requests are learned like other queries and positive and negative policies and combinations thereof can be enforced. | • | |
| Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data is not otherwise inspected at another point in the message flow. | Profense supports inspection of HTTP and should only be used for HTTP(S) based traffic. | º | |
| Defend against threats that target the WAF itself. | Profense is a software appliance based on a stripped and hardened version of OpenBSD which is regarded to be the most secure OS you can get. Profense components are run in a non-privileged and closed run-time environment. ProPolice, W^X protection, non-executable stack, etc. further hardens the system. | • | • |
| Support SSL and/or TLS termination, or be positioned such that encrypted transmissions are decrypted before being inspected by the WAF. Encrypted data streams cannot be inspected unless SSL is terminated ahead of the inspection engine. | Profense terminates HTTPS and optionally re-encrypts requests before being sent to the web system. | • | • |
PCI DSS requirements pertaining to system components in the cardholder data environment
| PCI DSS Requirement | Profense capabilities | Profense™ | Profense™ Base |
| 2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). | Profense is a software appliance.It includes a hardened OS and installs on most standard hardware.No unnecessary services are running and only two passwords should be changed upon installation. | • | • |
| 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). | Profense is based on a stripped and hardened version of OpenBSD which is regarded to be the most secure OS you can get. Profense components are run in a non-privileged and closed run-time environment. ProPolice, W^X protection, non-executable stack, etc. further hardens the system. | • | • |
| 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. | Access to the web based management interface is only allowed through HTTPS (SSL/TLS) | • | • |
| 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks)… | Log input data masking allows for matching PANs in all query input (including PANs entered in wrong input fields) and rendering it completely unreadable. | • |
|
 Buy Profense Web Application Firewall |
 Try Profense Before You Buy |
