Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

<inline>

On Fri, Feb 6, 2009 at 2:38 PM, Andre Gironda <andreg@xxxxxxxxx> wrote:
> On Fri, Feb 6, 2009 at 11:21 AM, Arian J. Evans
> <arian.evans@xxxxxxxxxxxxxx> wrote:
>> BTW -- In this podcast you will find a glaringly apparent
>> anti-WAF bias
>
> sounds like arian didn't listen to the podcast, but is merely making
> judgments based on who was in the podcast.
[...]
> yes, allow me to restate the fact that arian didn't listen to the
> podcast.  all of the experiences and understanding of business needs /
> reality was adddressed in the podcast by each of the speakers.  in
> fact, i think this was the goal of the podcast.

I found it a biased --but  -- you are absolutely correct.
I did not make it through all 70-some minutes of the thing.


>> WAFs *are* in a flux right now.
>
> again, arian must have not listened to the podcast, especially the
> parts about va+waf and va+waf+sca.

That is not what I am referring too.

There are several things *in flux* including:
(a) vendors
(b) technology
(c) philosophy, and
(d) how they are really being used in the field vs. how they are marketed.


>> They seem to work well on simple apps for binary syntax
>> vulns (SQLi or not). They struggle on complex applications,
>> particularly internationalized software, but mostly due to
>> implementation issues (charsets, regional encoding support).
>
> actually, arian must not have listened to particular section of the
> podcast.  maybe he listened to the intro.  i think a lot was said
> about encoding by Jim Manico and myself.  i made specific reference to
> Microsoft SRE.

I heard Jim's statements.

I am allowed to state what *I* see as the issues, too. It's not
all about your podcast, Andre.


>> They should work even better for many business logic vulns,
>> but they don't (again due to implementation and usability
>> limitations). Most folks I talk too that have been using WAFs
>> for 1-2+ years are openly aware that they cannot protect
>> simple business logic issues without explicit configuration
>> and do not have the time to find and configure for things that
>> the WAFs *could* easily be protecting.
>
> well i guess arian missed the part about ModSecurity and WebGoat.  he
> probably didn't listen to Podcast #2 either.

I don't know anyone running ModSecurity and WebGoat in production.

I did not hear you address anything like the specific scenarios
I encounter out in real life. Like autodetection/protection limitations
in commercial WAF products used in the field that prevent them
from properly protecting issues.

e.g. state table or memory mapping limitations, or limitations
on name=value pairs parsed for performance reasons, etc.
Where you run into, not infrequently on some software, an
n+1 limitation of the WAF (n=limitation).


>> There are only three vendors that make up 95% of the market
>> I run into, and for three different (specific) reasons.
>
> if arian is talking about F5, Imperva, and Citrix, then I believe he
> is a sad case of following the security product industry too closely.

I don't find anything emotional about the subject, Andre.

I take a more mathematical approach to information security.

The facts: out of a sampling of roughly 1,000 production
websites -- Imperva, F5, and Breach were the only WAFs
found running in production, and in that order.

(I have seen Citrix a few times, but I also see it get pulled
down pretty quickly for various reasons.)

I have heard from several source (anecdotal) that Imperva
leads market share in sales. I have also heard this about
Fortify, but since they bundle their WAF with *everything* it's
kind of like IBM's DB2. Everyone has it, but is anyone using it?

And in the case of Fortify I can say solidly: No. No one I
know (besides perhaps Fortify) is actually using it that I
know. Some folks are talking about it, and evaluating it,
but not actually *using* it in production.

I am not sure what you mean about being sad about
following the security industry too closely. I just follow
numbers, Andre, and the closer the better.


> are you taking any kickbacks, arian?  got some friends-and-family stock?

While it's really none of your business where my income
comes from -- neither I nor my employer receive kickbacks
from any WAF vendor, and same goes for stock for me.

I am entirely unsure, and equally uncaring, if anyone
I know, friends, family, and even our close brotherhood
in the Church of Software Security, owns stock in any
of the companies you mentioned.

I did own some Citrix stock in the late 90s though if
that shines a suspicious light on me!


>> The community over @ SC-L seem to have their heads in
>> the sand about what businesses are really doing, and going
>> to continue doing to "secure their code".
>
> hahahahhahahaaha.  yes, the people on the secure coding list have no
> idea what they are talking about.  good one.

Do not put words into my mouth. Some of the smartest
academics and theoreticians I know inhabit the SC-L,
as well as some of the most innovative researchers
I have worked with.

I should have qualified that statement. Here goes:

Many folks on the SC-L list continue to focus on the "source
code" and/or "the developer" as the "root cause" of the
problem. I do not believe this is the case, and for many
businesses "source code" and "developers" are symptoms,
not causes.

The SC-L list is about "secure coding" and it is a great
list for that subject.

It is not about "business realities of securing code".

So if it sounded like I was unfairly judging the SC-L
list, that is probably true. my dearest apology, I've
subscribed for years, maybe since the beginning,
and find it a great source for specific topics.


>> We should get some real-world WAFness going on here,
>> or on Joe's website. And another opportunity:
>>
>> http://en.wikipedia.org/wiki/Web_application_firewall
>
> we welcome a retort.  perhaps you'd like to join the OWASP Podcast for an hour?
>
> linking to Wikipedia is probably the saddest thing i've ever seen you
> do.  this is really going to hurt your credibility.

Actually, it is a blank page. Might be useful for someone to
fill in a list of vendors and options. Or, as I said, use Joe's
page. Many, many people ask for a list of WAF vendors and
options out in that place called "IRL Business-Land".


> i believe that marketing people know how to use Wikipedia and sometimes it's their
> day-job to just make sure Wikipedia has a product-slant/bias.


I think the entire world knows this "secret", Andre.

Did you find the Pyramid with the Eye hidden on there, too??


>> Where are the "Notes from the Field" from those of
>> you working with them?
>
> hrmn guess you didn't listen to the podcast.

Which part did you talk about running these in front of
production environments with dozens to hundreds of
servers running large applications, or dozens to hundreds
of applications, serving 3 to 8 gigabits of traffic, and
have highly dynamic code bases?

I *totally* missed that part, I admit.


>> Are we all going to let the software-purist-tautology
>> crowd define the solutions out of the problem for us? :)
>
> well, gosh, i would hope so.  isn't everything we do made of software?
>  didn't network security fail?  didn't product-based security fail?
> didn't compliance-drive security fail?

Not everything I do is made of software.

Security is about Risk Management, and in
Business -- Business Risk Management.

That sounds like a process to me.

I am not sure what you mean about network and
product security failing. I know a lot of folks running
networks and buying products that appear to
be pretty successful with them.

But then, I tend to focus on software, and lately,
web software, as it relates to businesses.

Sounds like you may have more experience in
other technology-domains outside of web application
software security.

Either way, that's off topic.

As always -- thanks for helping clarify and contribute
to our much-needed WAF dialogue.

---
Arian Evans

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA