[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls

From: "Stephen Craig Evans" <stephencraig.evans@xxxxxxxxx>
Subject: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
Date: Fri, 4 Jul 2008 03:46:16 +0800

Hi Arian,

> you won't find a review covering using them for targeted
> remediation (which I believe is the correct use today).

You hit the nail on the head.

I recently did a pentest for a telecomms company in APAC, finding 25+
vulnerabilities in 5 days. Going through the process via software
development to fix or mitigate these vulnies would take 6 months or
more, but with some easy configuration changes to their servers and a
WAF, 20 of the vulnies and all of the High and Medium ones can be
mitigated in short time, which I have proposed to them.

Stephen

On Fri, Jul 4, 2008 at 1:28 AM, Arian J. Evans
<arian.evans@xxxxxxxxxxxxxx> wrote:
> I don't want to start a flame war here - but there is not a single,
> competent review of WAFs for public consumption as of today.
>
> The quality of WAFs varies greatly. Few actually provide all
> the features they claim, but most analysts are not experienced
> enough (yet) to evaluate the intricacies of these features.
>
> Several of my smartest clients have benchmarked the things
> recently, and found that with consistency they all crash, they
> all have weaker attack vector detection than most realize,
> and auto-learning engines suck.
>
> Simple double-encoding will defeat most WAFs, even though
> they all claim they canonicalize data or at least drop "double
> encoded" strings (they don't, at least, effectively enough).
>
> I have yet to read a report breaking down the real world
> implementation problems. They talk instead about vapor-
> ware features like integrations with all the various desktop
> source and runtime scanning widgets.
>
> I'll pick on Imperva briefly -- I have been able to slip encoded
> strings through SecureSphere for 4+ years now, and their
> auto-learning also doesn't do much for canonicalization issues.
> (The only reason I used to recommend them was for their
> DB profiling, but today I restrain my recommendations)
>
> Imperva hasn't improved things I told them about 4 years
> ago, while instead touting marketing features that don't work.
> This has lead them to lose possibly their largest account
> to a competing WAF with a targeted vuln-remediation approach.
>
> I think WAFs have a lot of potential properly used, but
> you won't find a review covering using them for targeted
> remediation (which I believe is the correct use today).
>
> As for the rest, I am cynical (for good reason) about
> the marketing messages and value of comparison
> reports you read. They just don't hold up with real
> world experiences.
>
> The only answer right now is:
>
> Put them in front of your own environments and
> see if they work. Do they crash? Do they create
> latency? Can they detect real attacks? Can they
> block attacks without breaking your application?
>
> Have someone experienced test your application
> and see if the thing can actually block attack vectors
> it claims to detect, or protect abuses targeting real
> weaknesses like insufficient authorization.
>
> Anything less is armchair quarterbacking, IMO.
>
> YMMV.
>
> --
> --
> Arian J. Evans.
> Software. Security. Stuff.
>
>
>
> On Thu, Jul 3, 2008 at 6:25 AM, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
>> If you want to compare WAF products yourself, then the WASC Web Application
>> Firewall Evaluation Criteria (WAFEC) provides a framework -
>> http://www.webappsec.org/projects/wafec/.  Btw - v2.0 is in the works.
>>
>> As for industry bake-offs, I believe that the Information Security WAF
>> review from March 2008 is the most recent -
>>
>> Comparative Product Review: Six Web Application Firewalls
>> http://searchSecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html
>> by: Sandra Kay Miller
>> Issue: Mar 2008
>>
>> --
>> Ryan C. Barnett
>> ModSecurity Community Manager
>> Breach Security: Director of Application Security
>> Web Application Security Consortium (WASC) Member
>> CIS Apache Benchmark Project Lead
>> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>> Author: Preventing Web Attacks with Apache
>>
>>
>> On Wed, Jul 2, 2008 at 11:39 PM, Ray Foo <gunblad3@xxxxxxxxx> wrote:
>>>
>>> Hi guys,
>>>
>>> Does anyone know where I can find comparisons of WAFs?  I've been Googling
>>> around for some time already, but somehow have not been able to find such
>>> information.
>>>
>>> Any help would be appreciated, thanks in advance!
>>>
>>> Regards,
>>> Ray
> _______________________________________________
> Webappsec mailing list
> Webappsec@xxxxxxxxxxxxxxx
> https://lists.owasp.org/mailman/listinfo/webappsec
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Comparisons of Web Application Firewalls
  - From: Ray Foo
- [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
  - From: Ryan Barnett
- [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
  - From: Arian J. Evans

Prev by Date: [WEB SECURITY] [Off Topic] Judge Orders YouTube to Give All User Histories to Viacom
Next by Date: RE: [WEB SECURITY] [Off Topic] Judge Orders YouTube to Give All User Histories to Viacom
Previous by thread: Re: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
Next by thread: RE: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site