4 reasons not to use mod-security
Published Jul 23, 2008
Version 1.0Was this article helpful?
The PCI DSS requirements are exceedingly ambiguous. In the one case (hardware key store) it specifically mentions that *some* applications may need it, but never mentions what those applications may be or what variables constitute needing a hardware key store.
Pertaining to the XML, they do not say "if you're serving XML/SOAP you need this", you apparently just need it. It should read more like the requirement around hardware key stores - if you're doing XML, you need to protect it. If you aren't, then don't worry about it.
I agree with the assessment that third-party updating can be a double-edged sword. The best option, IMO, is that the vendor offer it, but allow the customer to choose *how* they are applied, if they are applied at all. This fulfills the "auto update" requirement for PCI DSS but still leaves the customer in control of their own environment.
PCI DSS is important to those organizations that fall under it, but for those that don't, it becomes a non-issue in the decision of which WAF to purchase, of course.