[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?

From: Ofer Shezaf <ofers@xxxxxxxxxx>
Subject: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Date: Sun, 13 Jan 2008 07:32:59 -0500

------=_NextPart_000_0014_01C855B6.85DAFFB0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Locking doors is also a waste of money, after all any lock can be broken.
And still we all lock doors. No WAF will solve all of your web security
problems but it would certainly reduce them AND make your site more
protected than the next door, which might be just what you need to keep
clear.

 

A good example would be the latest SQL injection bot (WHID 2007-82,
http://www.webappsec.org/projects/whid/byid_id_2007-82.shtml). So many web
sites were broken into, and by just having a default install of ModSecurity
(and I am sure any other WAF), they could prevent the hack.

 

~ Ofer

 

From: Andre Gironda [mailto:andreg@gmail.com] 
Sent: Saturday, January 12, 2008 5:32 PM
To: B Snake
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?

 

Deploying WAFs at all - Waste of Money?

Answer: Not if you just made a check-mark on a PCI-DSS audit

On 1/12/08, B Snake <bsnak3@gmail.com> wrote:
> It seems like 90+% of companies that implement WAFs deploy them in
> listening-only mode and don't do any blocking for fear of false positives
> cutting off legitimate user activity.
>
> I'm new to WAFs and this may be a stupid question, but what security value
> does a WAF add if it's not doing any blocking of malicious activity?
>
> -BSnake
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


------=_NextPart_000_0014_01C855B6.85DAFFB0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<title>Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste =
of
Money?</title>
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Locking doors is also a waste of money, after all any =
lock can
be broken. And still we all lock doors. No WAF will solve all of your =
web security
problems but it would certainly reduce them AND make your site more =
protected
than the next door, which might be just what you need to keep =
clear.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>A good example would be the latest SQL injection bot =
(WHID
2007-82, <a =
href=3D"http://www.webappsec.org/projects/whid/byid_id_2007-82.shtml";>htt=
p://www.webappsec.org/projects/whid/byid_id_2007-82.shtml</a>).
So many web sites were broken into, and by just having a default install =
of
ModSecurity (and I am sure any other WAF), they could prevent the =
hack.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>~ Ofer<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andre =
Gironda
[mailto:andreg@gmail.com] <br>
<b>Sent:</b> Saturday, January 12, 2008 5:32 PM<br>
<b>To:</b> B Snake<br>
<b>Cc:</b> websecurity@webappsec.org; webappsec@securityfocus.com<br>
<b>Subject:</b> Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode =
-
Waste of Money?<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p style=3D'margin-bottom:12.0pt'><span =
style=3D'font-size:10.0pt'>Deploying WAFs
at all - Waste of Money?<br>
<br>
Answer: Not if you just made a check-mark on a PCI-DSS audit<br>
<br>
On 1/12/08, B Snake &lt;bsnak3@gmail.com&gt; wrote:<br>
&gt; It seems like 90+% of companies that implement WAFs deploy them =
in<br>
&gt; listening-only mode and don't do any blocking for fear of false =
positives<br>
&gt; cutting off legitimate user activity.<br>
&gt;<br>
&gt; I'm new to WAFs and this may be a stupid question, but what =
security value<br>
&gt; does a WAF add if it's not doing any blocking of malicious =
activity?<br>
&gt;<br>
&gt; -BSnake<br>
&gt;<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]</span><o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_0014_01C855B6.85DAFFB0--

References:
- [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
  - From: B Snake
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
  - From: Andre Gironda

Prev by Date: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Next by Date: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Previous by thread: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Next by thread: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site