[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
Date: Fri, 6 Feb 2009 10:21:37 -0800

BTW -- In this podcast you will find a glaringly apparent
anti-WAF bias, which I myself used to have early on,
before I figured out how to use them, and learned to
ignore the more dishonest marketeers amongst them.

The anti-WAF bias in the podcast is, amusingly, for the
wrong reasons IMO, and shows an utter lack of experience
or understanding of business needs/realities surrounding
"secure code" and WAFs.

WAFs *are* in a flux right now.

They seem to work well on simple apps for binary syntax
vulns (SQLi or not). They struggle on complex applications,
particularly internationalized software, but mostly due to
implementation issues (charsets, regional encoding support).

They should work even better for many business logic vulns,
but they don't (again due to implementation and usability
limitations). Most folks I talk too that have been using WAFs
for 1-2+ years are openly aware that they cannot protect
simple business logic issues without explicit configuration
and do not have the time to find and configure for things that
the WAFs *could* easily be protecting.

There are only three vendors that make up 95% of the market
I run into, and for three different (specific) reasons.

One of the three, for example, has some mature features
for inline production that the other two do not. This makes
it immediately obvious who has more experience running inline.

Anyway -- there is a lot of discussion that could and should
be happening around these devices and would really help
out the consumers (and the WAF vendors, and again by
proxy the consumers :).

Is anyone really interested in this? I get lots of offline
comments but the threads stay quiet.

The community over @ SC-L seem to have their heads in
the sand about what businesses are really doing, and going
to continue doing to "secure their code".

We should get some real-world WAFness going on here,
or on Joe's website. And another opportunity:

http://en.wikipedia.org/wiki/Web_application_firewall

The vast majority of you I talk to are in the process of
evaling, buying, or deploying WAFs. And I stumble across
more and more of them.

Where are the "Notes from the Field" from those of
you working with them?

Are we all going to let the software-purist-tautology
crowd define the solutions out of the problem for us? :)

-ae



---------- Forwarded message ----------
From: Arian J. Evans <arian.evans@xxxxxxxxxxxxxx>
Date: Thu, Feb 5, 2009 at 5:18 PM
Subject: Fwd: [SC-L] OWASP Podcast #6: WAFs
To: "websecurity@xxxxxxxxxxxxx" <websecurity@xxxxxxxxxxxxx>


Didn't see this make the webappsec lists -- but it's right up the
alley of folks on WASC.

Interesting that it does not contain any of the "WAF usual-suspects"
from WAF-land:

---------- Forwarded message ----------
From: Jim Manico <jim@xxxxxxxxxx>
Date: Thu, Feb 5, 2009 at 3:03 AM
Subject: [SC-L] OWASP Podcast #6
To: "SC-L@xxxxxxxxxxxxxxxx" <SC-L@xxxxxxxxxxxxxxxx>


Hello SC-L

I just pushed OWASP Podcast #6 live at
http://www.owasp.org/index.php/Podcast_6 - an OWASP Roundtable with
Brian Holyfield, Marcin Wielgoszewski, Andre Gironda and myself, Jim
Manico. Our focus was WAF's.

Thanks and I hope  you enjoy,
Jim Manico
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@xxxxxxxxxxxxxxxx
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________



--
Arian Evans

"From the hour the Pilgrims landed,
to the present day, events, occurrences,
and tendencies prove that to ensure
peace, security, and happiness, the
rifle and pistol are equally indispensable"
-- George Washington

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
  - From: gaz Heyes
- Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
  - From: Andre Gironda
- Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
  - From: Joe White

References:
- [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
  - From: Arian J. Evans

Prev by Date: [WEB SECURITY] Call for Papers - OWASP Ireland 2009 - September 10th
Next by Date: Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
Previous by thread: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
Next by thread: Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site