Re: [WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

I forwarded the podcast to this list for several reasons.
There are some good ideas in it, some funny comments,
and most importantly, folks on this list who want to hear it.

Your statements about me are blatantly dishonest and say
all we really need to know.

I addressed your comments below to the degree needed
to clarify their dishonesty with regard to me.

Apology to the list for stirring this up.

Andre, I will have no further responses to you:


On Fri, Feb 6, 2009 at 5:03 PM, Andre Gironda <andreg@xxxxxxxxx> wrote:
> On Fri, Feb 6, 2009 at 5:07 PM, Arian J. Evans
> <arian.evans@xxxxxxxxxxxxxx> wrote:
>> I found it a biased --but  -- you are absolutely correct.
>> I did not make it through all 70-some minutes of the thing.
>
> well sorry i didn't read all of your email and just responded out of
> pure hate.  no, wait.  i read all of  it, and i'm simply responding to
> your obvious lack of experience and clue in this industry.


Again, no need to get emotional. I forwarded it on so
folks here could enjoy it.


> yeah, maybe you should listen to the podcast.  did you listen to it
> yet?  or are you going to waste another 70 minutes on an email about
> the subject instead of listening to it?

Yep, I went back through it. Some things were covered well,
and some things could be covered better from a different perspective,
I think, as I stated from the beginning.


>> I don't know anyone running ModSecurity and WebGoat in production.
>
> do you even know what WebGoat is?  i guess not!


Again, I don't see anyone running David Rhoades' Buggy Bank,
or WebMaven, err, sorry -- WebGoat v1 or later, in production.
Nor are they running Hacme bank nor Hacme books nor my
.NET XSS generator in production so what is the point?

I have never seen anyone using ModSecurity to protect WebGoat
in production either.

If using those two together is your deal...that's cool.


>> I did not hear you address anything like the specific scenarios
>> I encounter out in real life. Like autodetection/protection limitations
>> in commercial WAF products used in the field that prevent them
>> from properly protecting issues.
>>
>> e.g. state table or memory mapping limitations, or limitations
>> on name=value pairs parsed for performance reasons, etc.
>> Where you run into, not infrequently on some software, an
>> n+1 limitation of the WAF (n=limitation).
>
> hrmn, so you're having operational/performance problems with your
> whitehatsec approach?  i could have told you that ahead of time.


Nah, the whole point of WhiteHat's approach is to provide ways to
mitigate without dealing with product limitations.

But you must already know that.


>> I take a more mathematical approach to information security.
>
> no, you take a marketing approach to information security.


I make my statements based on publicly measurable matters
of fact and existence.

The burden of proof is on you for your assertion..



> IRL Business-land is where YOU sell products.  IRL Secuirty-land is
> where risk analysis happens and people like ME figure out how to solve
> IRL World-problems.


I do not sell anything. My job is to ensure that people can
identify and have accurate data to solve their problems on
an implementation and tactical level. It is also to provide
data to make business-level risk-analysis decisions in a
consistent and complete fashion.

Earlier in my career, at several junctures, my job was to
work with business owners to build and maintain web-
based business solutions. And, later, to figure out how
to secure them.

Have you ever built business software, Andre?

After all...this is all about you.



> Look, I've been running 30Gbps outbound networks and controlling them
> with BGP since 1996.  I've worked for various ISP's and content
> providers since that time.  I practically invented the IPS and the WAF
> back in 1998/1999, and you weren't there or on the map until about 2006.


I can make a list of people that were doing IPS and trying
to do WAFs back in 1998, and before 1998, both writing
them and running them. I worked with many of them, too,
and can name-drop with the best of them.

After writing web apps & consulting in the mid 90s, I designed
and deployed early WAFs for CSOURCE for Sprint and
Time Warner (as well as designing thin client apps). By
1998 and 1999 I was writing my own rudimentary WAFs
on top of squid, at first. Some of the eEye guys and some
of the L0pht/@stake guys helped me out a lot back then.

Since then I have given some presentations on WAFs,
scanners, encoding, software, and security, and released
tools, code, and advisories at software and security conferences
around the world and written parts of a book on these
subjects. I had significant help on all of it, though, from
much smarter minds than mine.


>  You were at a compliance-driven security consulting vendor,
> until you ended up where you are now:


Let's keep the record honest for the confused on the list:

Do you mean FishNet Security? I helped start the software
security practice there, which was independent of the entire
rest of the organization (Gene Abramov @ Depth Security
*actually* started/ran the first projects. Go Depth!).

FNS competed with top companies all over the world in
the field of software security starting around 2001/02-ish,
in addition to publishing vulnerability research and security
advisories on network and security products. You can look
up the advisories for vendors like Nokia and Cisco.

We did source code reviews, scanner reviews, WAF XML/
gateway reviews, threat modeling, pen tests and architectural
analysis for some of the largest companies in the world
using methodologies I created.

Now -- to be fair -- Steven M Christy @ Mitre helped me
out *a lot* with my source code review methodology. I owe
him significant thanks for improving my thinking there. And
more thanks to some folks doing work up @ MS, especially
for helping me see where I was chasing my tail when I
proposed a ring-0 architecture to enforce a data/function
boundary at a hardware level to get away from stack
canaries and the like. I was quite naive, but that was 2002
or 2003.

If I were to make a list of people I owe for helping me out,
I'd probably need a month to make it. </shoulders_of_giants>

FishNet, as you pointed out, does have a compliance
practice. It had nothing to do with the software security practice,
at least through 2006.


> at a snake-oil product vendor that focuses on compliance-driven
> security solutions that are short-term in effect and that will
> ultimately set our industry back at least 12 years.


My employer does not focus on "compliance-driven security
solutions that are short-term".

I am not sure what "industry" you are in, but I think it is
safe to say I am in a different one. I am in the software
services industry -- and my focus is to service my clients.

I am very proud of the work I do for my employer, and of
the work we do for our customers. Serving and solving
our customers' needs is what comes first.

We have some pretty smart customers, and they are
pretty good about telling us what they need.

I will leave the job of telling them that they are setting back
"your industry by at least 12 years" up to you.



> Dynamic code bases and hundreds of applications are my
> bread-and-butter.  I don't simply scan them with a black-box tool (way
> after production) and throw a WAF in front of them either.  I do a lot
> more, and I suggest that a lot more be done.


Strategic consulting services can certainly be an important part
of any information security program.

I think we all are very glad to read that you don't just "scan
them with a black box tool way after production" or "throw
a WAF in front of them".

Those are definitely not intended to be replacements for the
human analysis required to run a strategic Enterprise-wide
information or application security program.

Looks like we end in agreement then, cheers,

---
Arian Evans

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA