[WEB SECURITY] RE: 02/2009 WASC WAF thread

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> 1) Have you ever dealt with a compromise incident 
> on a web app at an organization with a WAF, that 
> could not have been stopped by a WAF?

We do the occasional cleanup, but not that many (it isn't core business
for us).  But of the last three we have been called in to help on, all
were relatively complex, and a WAF wouldn't have been able to help.

> 2) If #1, should it have been stopped by a WAF, 
> and do you have any idea why it was not? (e.g.- 
> product limitation, lack of configuration, etc.)

...

> 3) What do you think the #1 reasons WAFs are not 
> helping your customers is?

Mostly because they don't work very well. :)  Like I have said before,
they try and fix problems by looking at the data validation of the user
input as it enters the web tier.  I would suggest that the vast majority
of vulns in a web app aren't caused by validation at all, but by
failures to encode appropriately when the data leaves the web tier.  So
even if you use a WAF to fix the problem, it hasn't (as it were). 

> 4) If your customers have a problem (or three) as 
> you stated below in using those WAFs, why do you not 
> solve your customers' problems with using their WAFs?

For a couple of reasons.  Firstly we are usually assessing the apps; if
we started configuring them too, then this would be a conflict of
interest.  Secondly, as above, WAFs don't actually work well.  :)

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA