What web application security really is
June 17, 2008
One more post before I really should head off to bed 
Another blog that I’ve read on-and-off, but has just got a permanent place in my RSS reader is ts/sci security. There been one post recently that although I don’t agree with 100%, certainly is “on the money”.
http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is
The only part I’m not sold on is the…
If you think that implementing a WAF will save you (even in the short-term), please let us know why you believe this is the case. TS/SCI Security sees the WAF answer as FUD, lies, and/or short-sightedness.
…bit at the very end. I’m not as enthusiastic as Jeremiah Grossman is, but feel there’s some benefit in WAF rules some of the time. The default should be to “recode or replace while we still have the chance”, but sometimes that isn’t always immediately possible (resources, understanding, change windows, etc, etc). Having a temporary “patch” and a level of defense in depth isn’t “bad” per se, although given a choice we should always fix at the code level because that’s where the cause is and the most context to know what to do.
In any case, discussion is good.
Posted in Security
June 18th, 2008 at 4:11 am
Andre Gironda said:If developers are so hard to work with, so miserably stupid, and so unwilling to develop with security in mind — then how can a WAF vendor write secure software for their own products? This is the classic example of where a security vendor assumes that their own products are secure just because they are a security company.
If a WAF is insecure — then it adds to the insecurity of the network more than it subtracts from it. This hurts the “defense in depth” architecture and it weakens the system/infrastructure as a whole. Thus, it is bad.
If there are some benefits to WAF’s some of the time, then we should be specific about when those events are. Let’s identify them. I can’t think of any situations where this universally applies. However, the rest of the industry analysts and popular theory is that WAF’s (or VA+WAF) are magical beans. I am simply trying to dispel that theory, based on my own experiences and observations.
If you have a story where you know WAF works, let’s hear it. Yet, everyday, I hear about websites in the news — websites that utilize WAF technology — and they are vulnerable to various SQLi and XSS attacks. SQLi and XSS are some of the only web application vulnerabilities that WAF is supposed to protect against. If WAF’s can’t even protect against these, how are they ever going to be able to protect against business logic flaws, vulnerabilities in session management, cryptographic storage, or the hundreds of other common flaws in web applications?
What is the value? How are they showing value? Why is it assumed that they are valuable? My strawman presupposition is that they universally hurt more than they help. Am I wrong? In what way?
After this dust is settled, there is still the question of what works better: process improvements with a secure SDLC, or VA+WAF? I’ve thought very hard about this one, and I still see secure SDLC coming out very far ahead — even in the short-term. What would it take to prove this?
June 19th, 2008 at 9:47 pm
VA+WAF: that’s hot! | Mike Andrews said:[...] the “hot” topic in webappsec this week. First up we have the ts/sci post that I linked to earlier, Andre responded, and we also have a post from the guys at [...]