RE: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> Martin, I am assuming that the WAF 
> you were going against had one or 
> both of these problems.

Yes, definitely.  But a WAF (even when correctly deployed) is also being
used to fix a problem that just doesn't exist.  It is commonly used to
implement input validation outside of the application, when the actual
root of the problem often isn't validation at all; it lies in a failure
to escape the user input for the correct output context (which needs to
be done by the application itself, prior to dispatching the data).

The net result of the typical WAF deployment is very little gain in
practical security, but a notably damaged user experience.  For example,
I'm bored of using household-name websites that throw a hissy-fit
because of the apostrophe in my name.  Apostrophes have feelings too.

Martin...



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA