With the deadline of June 2008 quickly approaching for retailers who need to be compliant with PCI DSS (Payment Card Industry Data Security Standard) there's a lot of focus in IT shops on requirement 6.6, the somewhat hotly debated requirement which states organizations must implement either a web application firewall or perform code reviews (and address vulnerabilities discovered) in order to be compliant with the standard and continue accepting credit cards.

So much focus is on this standard and online retailers that it seems like the "bad guys" might consider other avenues of attack. Malicious code (malware) and keyloggers appear to be an easy alternative to nabbing personal information like credit cards in the face of tighter security around retail shops and their databases full of juicy information.

Indeed, a new wave of SQL injection attacks appear to be hitting the web in full force, infecting web sites and then browsers, ultimately stealing personal information from consumers. And once you've got their personal information, why attack a relatively well-protected e-commerce site when you can just log in and appear legitimate to steal the same information?

TechTarget examines this latest wave of attacks. One researcher comes to the conclusion that affected sites are older ones those that "didn't go through any kind of code review."

TechTarget: New wave of SQL Injection attacks alarm researchers

Even relatively basic websites can have several applications running at any one time and all it takes is a small coding error in one of those programs and an attacker has the opening he needs.

"It doesn't take a lot of effort," said Billy Hoffman, lead security researcher for the Web Security Research Group at HP Labs, and an expert on Web application security. "There are so many Web-facing applications out there and a lot of them were written years ago and didn't go through any kind of code review."

I'm not certain that's entirely true. Perhaps Mr. Hoffman mean that these sites likely did not go through any third-party kind of code review. After all, code reviews are generally performed by peers in an organization, peers that are not likely to have any more security training than the developer who wrote the original code. Code reviews are only helpful if they are performed by someone who has experience and knowledge about how attacks such as SQL injection are performed, and how they bypass the typical security measures put in place to thwart them. Without that understanding it's unlikely that a code review will uncover potential vulnerabilities in an application. This is the reason that the PCI council chose as an option a code-review performed by a qualified, third-party source rather than require organizations to rely on internal resources.

While organizations can rely on internal resources, the restrictions on who qualifies to review code makes it likely that no one internally will be able to fill the role anyway.

In any case, perhaps organizations with a web presence ought to look at PCI DSS regardless of whether they accept credit cards or not. After all, requirement 6.6 is a good, generalized "best practice" for securing applications - whether written years ago or last week - that applies to any web application, not just those which accept credit cards.

Code reviews can ensure that applications are not vulnerable to existing attacks (those that are known at the time of development) and a web application firewall can help to prevent those exploits that emerge when the application is live and in use.

Third party code reviews and web application firewalls are both just good sense when it comes to securing any web application. And with the deadline for PCI DSS looming, it means more retail and e-commerce sites are going to be protected against most attacks, meaning the "bad guys" will be looking for easier targets.

Don't let your site be one of them.

Imbibing: Coffee