Re: [WEB SECURITY] RE: 02/2009 WASC WAF thread

[Andre Gironda <andreg@xxxxxxxxx>]

An example WAF vendor's product literature:

> Introducing Product X: Drop-in solution for
> PCI Compliance, Virtual App Patching, Data Loss Prevention
> Drop-in - Does not require recoding applications, deployable in under an hour
> PCI 6.5/6.6 compliance is just a few clicks away
> Built-in PCI profile for out-of-the-box instant protection
> Drop all suspicious traffic, permit the rest

This is misleading, correct?

> It's more than just PCI!
> Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
> Act focuses on Financial Services Modernization
> Requires protection of personal non-public information
> Sarbanes-Oxley (SOX) Section 404
> Covers Management Assessment of Internal Controls
> Requires protection of financial records and data
> Health Insurance Portability and Accountability Act (HIPAA) Security Rule
> Establishes standards on health care transactions
> Requires protection of personal non-public information
> These acts are driving focus on data leakage from applications
> Forrester estimates the market at $180M in 2008 and growing

Forrester estimates the WAF market would be at $180M last year.  Did
this happen?

> WAF: virtual patching & DLP save $$$
> Virtual Web Application Patching
> By deploying application hot patches (permit only this
> value in this web form; deny those bad patterns to this
> app) a large amount of code review / dev / test time is
> saved, and no app downtime is required!
> Data Leakage Prevention
> The WAF can perform one for one search and replace
> on content returned from server and hide sensitive info.
> The WAF can also remap error codes returned by web
> apps
> Virtual patching extremely interesting financially

Again, does anyone think this is entirely misleading?  No app downtime required?

If cardholder data or PII is making it to the WAF from the web server
unencrypted, I fail to see how a search and replace is going to make
that company compliant in any sense of the meaning.  What is with this
sort of feature?

Additionally, how is a user supposed to input his or her information
and ensure/verify it is correct if the WAF is preventing the user from
seeing this data?

> XML accounted for 15% of internet traffic in 2005. By 2008, it is
> expected to account for 50% - The 451 Group

Ok, great (probably made up) statistic.  Only one issue here.  XML (or
as Douglas Crockford at Yahoo says, "JSON is the X in Ajax") and JSON
exist inside of SOAP, REST, WSDL, Ajax, Actionscript, Javascript,
Flash, and other RIA technologies.

WAFs usually only see as far as HTTP, not the above stuff inside HTTP.
 When they do, they often miss a lot!

> Why not just fix the code?
> Every 1000 lines of code averages
> 15 critical security defects
> (US Dept of Defense)
> The average business app has 150,000-
> 250,000 lines of code
> (Software Magazine)
> The average security defect takes 75
> minutes to diagnose and 6 hours to fix
> (5-year Pentagon Study)
> Developers typically focus on new functionality not bugs
> It is too expensive to fix the security bugs

This is probably the most misleading thing I'm seeing so far.  The
vendor wants you to combine the numbers (taken from different sources)
and add it up for yourself.

The problem is that developers shouldn't focus on fixing
vulnerabilities "one at a time" as bugs or feature requests.  They
should focus on fixing software weaknesses as requirements, by design,
and for the safety and prosperity of their customers and users.

How long does it take to implement individual secure coding practices
that eliminate software weakness one-by-one?

Cheers,
Andre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA