[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?

From: Ofer Shezaf <ofers@xxxxxxxxxx>
Subject: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Date: Wed, 16 Jan 2008 08:25:34 -0800

------=_NextPart_000_0006_01C85819.6AF22560
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

You are referring to a certain WAF technology, not to WAFs in general. A WAF
should certainly not block a single quote by default. 

 

WAFs have gone a long way in the 10 years they exist. I personally believe
that real time app sec controls are absolutely necessarily to protect web
applications. If the technology available at the time you looked into it was
not good enough, it might be good enough today, and if still not suitable
for a specific application today, it will be tomorrow.

 

~ Ofer

 

From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Henry Troup
Sent: Sunday, January 13, 2008 7:03 PM
To: Ivan Ristic; B Snake
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?

 

For a while, I had the unpleasant experience of having a customer-support
forum behind a WAF set for certain kinds of blocking.  The result was that
single quotes - such as "I can't make this work" - got postings rejected.
Now obviously, that's the kind of thing you want to configure out.  But
until you do, it's absolutely painful and embarassing.

Henry Troup
htroup@acm.org


----- Original Message -----
From: "Ivan Ristic" <ivan.ristic@gmail.com>
To: "B Snake" <bsnak3@gmail.com>
Cc: <websecurity@webappsec.org>; <webappsec@securityfocus.com>
Sent: Sunday, January 13, 2008 4:54 AM
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?


> On Jan 12, 2008 3:55 PM, B Snake <bsnak3@gmail.com> wrote:
>> It seems like 90+% of companies that implement WAFs deploy them in
>> listening-only mode and don't do any blocking for fear of false positives
>> cutting off legitimate user activity.


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


------=_NextPart_000_0006_01C85819.6AF22560
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<title>Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste =
of
Money?</title>
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You are referring to a certain WAF technology, not to =
WAFs in
general. A WAF should certainly not block a single quote by default. =
<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>WAFs have gone a long way in the 10 years they exist. I =
personally
believe that real time app sec controls are absolutely necessarily to =
protect
web applications. If the technology available at the time you looked =
into it
was not good enough, it might be good enough today, and if still not =
suitable
for a specific application today, it will be =
tomorrow.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>~ Ofer<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] <b>On =
Behalf
Of </b>Henry Troup<br>
<b>Sent:</b> Sunday, January 13, 2008 7:03 PM<br>
<b>To:</b> Ivan Ristic; B Snake<br>
<b>Cc:</b> websecurity@webappsec.org; webappsec@securityfocus.com<br>
<b>Subject:</b> Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode =
-
Waste of Money?<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p style=3D'margin-bottom:12.0pt'><span style=3D'font-size:10.0pt'>For a =
while, I
had the unpleasant experience of having a customer-support<br>
forum behind a WAF set for certain kinds of blocking.&nbsp; The result =
was that<br>
single quotes - such as &quot;I can't make this work&quot; - got =
postings
rejected.<br>
Now obviously, that's the kind of thing you want to configure out.&nbsp; =
But<br>
until you do, it's absolutely painful and embarassing.<br>
<br>
Henry Troup<br>
htroup@acm.org<br>
<br>
<br>
----- Original Message -----<br>
From: &quot;Ivan Ristic&quot; &lt;ivan.ristic@gmail.com&gt;<br>
To: &quot;B Snake&quot; &lt;bsnak3@gmail.com&gt;<br>
Cc: &lt;websecurity@webappsec.org&gt;; =
&lt;webappsec@securityfocus.com&gt;<br>
Sent: Sunday, January 13, 2008 4:54 AM<br>
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - =
Waste of<br>
Money?<br>
<br>
<br>
&gt; On Jan 12, 2008 3:55 PM, B Snake &lt;bsnak3@gmail.com&gt; =
wrote:<br>
&gt;&gt; It seems like 90+% of companies that implement WAFs deploy them =
in<br>
&gt;&gt; listening-only mode and don't do any blocking for fear of false
positives<br>
&gt;&gt; cutting off legitimate user activity.<br>
<br>
<br>
-------------------------------------------------------------------------=
<br>
Sponsored by: Watchfire<br>
Methodologies &amp; Tools for Web Application Security Assessment<br>
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in =
the
development of any web application. What methodology should be followed? =
What
tools can accelerate the assessment process? Download this Whitepaper =
today!<br>
<br>
<a
href=3D"https://www.watchfire.com/securearea/whitepapers.aspx?id=3D701700=
00000940F">https://www.watchfire.com/securearea/whitepapers.aspx?id=3D701=
70000000940F</a><br>
-------------------------------------------------------------------------=
</span><o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_0006_01C85819.6AF22560--

References:
- [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
  - From: B Snake
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
  - From: Ivan Ristic
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
  - From: Henry Troup

Prev by Date: Re: [WEB SECURITY] WEB applications testing methodology
Next by Date: [WEB SECURITY] Query: Manual sql injection testing in oracle databse
Previous by thread: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Next by thread: [WEB SECURITY] disable an ip address to connect to a web site
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site