On the one hand we have the problem that if we are required to prevent CSRF attacks from a site we're going to have a lot more vulnerable sites.
On the other hand, neither the PCI-1.1 standard nor the PABP specify the criteria for judging an application or system compliant. Most if not all of the standards have the all-or-nothing flavor to them. Unfortunately, as we know, its rarely that simple.
The PABP focuses on two main areas that are application specific:
- Development Practices and the SDLC
- Actually countermeasures and vulnerabilities in the code
The second is much harder to pass because the standard itself doesn't say that you need to have frameworks to prevent attacks, it says you must be preventing them. This means that pretty much every deployed application isn't really compliant, since we know that all applications of a decent size are almost certain to have some sorts of application security vulnerabilities.
What the standard needs is a slightly more proscriptive requirement around the SDLC, a threshold of vulnerabilities that you must reasonably try to prevent, and solid remediation plans should there be a vulnerability discovered and/or audit trails to detect a breach should it occur.
WhiteHat's service actually comes in handy here in that with continuous monitoring of applications you shrink your vulnerability window (theoretically). What WhiteHat isn't monitoring for specifically are cases where there may be something like a stored XSS on your site currently. Unfortunately discovering these programatically is quite difficult, though I'm thinking catching this sort of defacement quickly could be pretty useful. You can always wait for your app/site to show up on the http://sla.ckers.org/ site, but that probably isn't the most efficient way to discover you have an XSS vulnerability..
Where does that leave us from a PCI perspective? Unfortunately we're discovering that as decent a standard as PCI is, and as nicely proscriptive as it is, it still has gaps.
One solution is to do what the government does.
- Congress passes law
- Federal agency draws up regulations that implement the law
- Federal agency draws up interpretations, implementation guidelines, etc.
- Lots of lawsuits happen, case law is set, and now we have definitive rules
- Life goes on with a lot of $$ spent on compliance.