Re: [ACFUG Discuss] portcullis update
A WAF won't by itself help you pass PCI. That said, mod_security and the F5 ASM are good products. -dhs -- Dean H. Saxe A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children. -- John James Audubon On Jan 5, 2010, at 6:58 PM, Wes Byrd wrote: John (and list), I'm on the hunt for a good Web Application Firewall for PCI Compliance purposes. I've looked into Cisco ACE Web Application Firewall and a couple others. Do you have any recommendations? Are there any software options that will comply with the PCI Compliance guidelines (6 6.5) that would work well rather than a dedicated device? Wes w...@dynapp.com www.facebook.com/dynapp -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of John Mason Sent: Monday, January 04, 2010 6:02 PM To: discussion@acfug.org Subject: [ACFUG Discuss] portcullis update I just released the 2.0 version of the Portcullis filter on riaforge.org. You can download it at http://portcullis.riaforge.org. The filter helps block and log sql injection and cross-site scripting (xss) attacks. It's also going to be included in the 3.2 version of the Model-Glue framework. I think most people are finally starting to use cfqueryparam to help prevent sql injection, but many are still not doing anything about xss. Portcullis takes maybe five minutes to install on your site - so there's very little reason not to use it. John ma...@fusionlink.com twitter: john_mason_ - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] portcullis update
Thanks Dean. Yes, I have done much with firewalls and server modifications (such as disabling SSLv2 and weak ciphers) and even web application and database vulnerability defenses. I've been able to pass all PCI Compliance scans for several hosted shopping carts but needed to address the WAP issue as it is now a requirement. Thanks again. I'll check into mod_security and F5 ASM. Wes -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe Sent: Tuesday, January 05, 2010 10:22 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] portcullis update A WAF won't by itself help you pass PCI. That said, mod_security and the F5 ASM are good products. -dhs -- Dean H. Saxe A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children. -- John James Audubon On Jan 5, 2010, at 6:58 PM, Wes Byrd wrote: John (and list), I'm on the hunt for a good Web Application Firewall for PCI Compliance purposes. I've looked into Cisco ACE Web Application Firewall and a couple others. Do you have any recommendations? Are there any software options that will comply with the PCI Compliance guidelines (6 6.5) that would work well rather than a dedicated device? Wes w...@dynapp.com www.facebook.com/dynapp -Original Message- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of John Mason Sent: Monday, January 04, 2010 6:02 PM To: discussion@acfug.org Subject: [ACFUG Discuss] portcullis update I just released the 2.0 version of the Portcullis filter on riaforge.org. You can download it at http://portcullis.riaforge.org. The filter helps block and log sql injection and cross-site scripting (xss) attacks. It's also going to be included in the 3.2 version of the Model-Glue framework. I think most people are finally starting to use cfqueryparam to help prevent sql injection, but many are still not doing anything about xss. Portcullis takes maybe five minutes to install on your site - so there's very little reason not to use it. John ma...@fusionlink.com twitter: john_mason_ - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=gin.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
[ACFUG Discuss] portcullis update
I just released the 2.0 version of the Portcullis filter on riaforge.org. You can download it at http://portcullis.riaforge.org. The filter helps block and log sql injection and cross-site scripting (xss) attacks. It's also going to be included in the 3.2 version of the Model-Glue framework. I think most people are finally starting to use cfqueryparam to help prevent sql injection, but many are still not doing anything about xss. Portcullis takes maybe five minutes to install on your site - so there's very little reason not to use it. John ma...@fusionlink.com twitter: john_mason_ - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -