[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique
Date: Wed, 30 Jul 2008 10:49:38 +0100

LOL; amusing post.

My interest in WAFs is very much not from a product point of view; we
don't sell or manufacturer any products ourselves (or re-sell anyone
else's).

Whilst Corsaire does provide consultancy around designing and building
secure environments, we spend the majority of our time assessing
something that someone else has already implemented.  We're not the
largest organisation in the universe, but we get through somewhere
between two to three hundred assessments a year, typically for large
corporate clients.  Of these environments, I would say that about 80%
have an IDS and maybe 60% a WAF.  Which is anecdotal factlet no.1:
product penetration is pretty high (chardonnay all round for the
marketing people!).

However, as I think I've said before, it appears that the normal
configuration cycle for an IDS or WAF is for them to install it, tinker
with the settings a bit until they disconnect someone (or something)
important, and then the box is put into monitor mode until it is a dusty
forgotten relic.  Which is anecdotal factlet no.2: most IDS/WAF that we
encounter are either in an out-of-the-box state, or in monitor-only mode
(and unmonitored!).

And finally, the only occasion that a client made a concerted effort to
use a WAF (an F5) to fix a broken application resulted in (I think) four
rounds of testing and re-testing, and even then the application still
had unresolved issues (which is, to be fair, a lot to do with the tin
monkeys configuring the WAF).  However as a side effect the application
was also made unusable to anyone with an apostrophe in their name.
Which is anecdotal factlet no.3: as a WAF's toolkit consists only of
tinkering with data validation, then they are forced to try and fix all
security issues by restricting validation, even when it is clear that
validation isn't the root of the problem.  

I have nothing against WAFs as a concept, and I agree that in principal
it is possible to use them to implement some form of dynamic patch (one
that may even work as intended!), but in every example that I have seen
them used in the real world, they have provided almost no practical
value at all.  Their net contribution is as a boldly coloured fan heater
in a data centre.

Martin...

PS Can I get a camp of my own?


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique
  - From: Arian J. Evans

Prev by Date: [WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique
Next by Date: [WEB SECURITY] Whitepaper - Behind Enemy Lines: Administrative Web Application Attacks
Previous by thread: [WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique
Next by thread: [WEB SECURITY] Whitepaper - Behind Enemy Lines: Administrative Web Application Attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site