An enlightening case study presented by ArgoWorks, an Armorlogic reseller, highlights the benefit that PCI brings to the WAF market but also the its curse.

When asked why he bought a WAF, the director of application technology at Southern Utah University admitts that the reason was PCI. PCI is a very common reason for implementing a WAF and as such is usually considered as a boon to the WAF market. 

However, when asked why he selected Armorlogic, he listed price, performance and deployment modes as the criteria for selection. Suspiciously missing is any discussion of the security benefit he may get from the WAF. Presumably, the director assumed that since just like any other WAF and most IPS systems Armorlogic Profense claims PCI 6.6 compliance, this side of things is taken care of. However this is far from being true:

• Firstly, while Armorlogic Profense is a WAF, the PCI council does not certify WAFs. As a result many products that provide little defense for web applications and do not adhere to the available WAF criteria (such as WAFEC or Xiom)  are labeled as WAFs.  
• Secondly, there are no clear guidelines as to the configuration required from a WAF in order to adhere to PCI. An extreme example blogged recently by Walter Conway is a WAF that stays in learning mode and therefore does not block attacks. However it can be argued that a capable WAF configured to signature based protection only also falls short of addressing the entire scope of application security risks.

By not defining what a WAF is or what a WAF should provide the PCI council is doing harm to the WAF industry and to the state of web application security in general. At times I think that we would be better of without PCI 6.6.The rest of PCI section 6 would require more from organizations, while the magic bullet in 6.6, namely a WAF, let them off the hook too easily.