RE: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> I don't want to start a flame 
> war here - but there is not 
> a single, competent review of 
> WAFs for public consumption as 
> of today.

My own personal experience of assessing many of applications protected
by all the major WAF vendors is that in practice (like IDS/IPS) they
offer very little real-world value.  Most are installed by the
vendor/tin-pimp as out-of-the-box, and the ones that aren't are
generally in log-only mode and unmonitored.

One recent project had a broken app protected by an F5 WAF.  The client
(against our advice) decided that they would fix the problems using the
F5 (whilst waiting for the app vendor to refactor).  The general process
for this is that the F5 pimp analyses the last set of successful vectors
we used, tinkers with the WAF rules, says it is fixed, then we come back
and vary the attacks just enough to bypass the rules.  All a complete
waste of money and time.  I think we are on fourth of fifth re-test now,
and no end is in site.  

WAF does have some merit as a dynamic patch for quick and dirty fixes,
but they do very little (if anything) to protect a broken application
from a skilled attacker.

Martin...



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA