4 reasons not to use mod-security
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functiona...
Published Jul 23, 2008
Version 1.0
Lori_MacVittie
Employee
EmployeeLori_MacVittieEmployee
Employee
Lori_MacVittieEmployee
Employee@anonymouse
The PCI DSS requirements are exceedingly ambiguous. In the one case (hardware key store) it specifically mentions that *some* applications may need it, but never mentions what those applications may be or what variables constitute needing a hardware key store.
Pertaining to the XML, they do not say "if you're serving XML/SOAP you need this", you apparently just need it. It should read more like the requirement around hardware key stores - if you're doing XML, you need to protect it. If you aren't, then don't worry about it.
I agree with the assessment that third-party updating can be a double-edged sword. The best option, IMO, is that the vendor offer it, but allow the customer to choose *how* they are applied, if they are applied at all. This fulfills the "auto update" requirement for PCI DSS but still leaves the customer in control of their own environment.
PCI DSS is important to those organizations that fall under it, but for those that don't, it becomes a non-issue in the decision of which WAF to purchase, of course.