[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] cross site trace

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] cross site trace
Date: Thu, 24 Jul 2008 09:41:59 +0100

I'm happy that a WAF can be used as a dynamic patch, but as a general
rule, I don't think they work that well even when used this way (as I've
pointed elsewhere, they are often used to fix encoding issues by data
validation restrictions).  Better than nothing, but not good.

I have no statistics to back it up (tm), but my anecdotal experience is
that companies suffer way more downtime from unplanned or poorly managed
changes than they do from security incidents.  Change control is your
friend.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- RE: [WEB SECURITY] cross site trace
  - From: Brian Shura
- Re: [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- Re: [WEB SECURITY] cross site trace
  - From: Arian J. Evans
- Re: [WEB SECURITY] cross site trace
  - From: James Landis
- RE: [WEB SECURITY] cross site trace
  - From: Brian Shura
- RE: [WEB SECURITY] cross site trace
  - From: Tom Brennan
- RE: [WEB SECURITY] cross site trace
  - From: Tom Brennan

Prev by Date: [WEB SECURITY] XSS/injection/... evading technique
Next by Date: Re: [WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!
Previous by thread: RE: [WEB SECURITY] cross site trace
Next by thread: RE: [WEB SECURITY] cross site trace
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site