Comments on: VA+WAF: that’s hot! http://www.mikeandrews.com/2008/06/19/vawaf-thats-hot/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: It’s BlueHat week | Mike Andrews http://www.mikeandrews.com/2008/06/19/vawaf-thats-hot/comment-page-1/#comment-240 It’s BlueHat week | Mike Andrews Tue, 14 Oct 2008 05:48:32 +0000 http://www.mikeandrews.com/2008/06/19/vawaf-thats-hot/#comment-240 [...] BlackHat time I was talking to Jeremiah Grossman about the whole WAF issue and we though it would be a good topic to present somewhere – the pros and cons of WAFs vs [...] [...] BlackHat time I was talking to Jeremiah Grossman about the whole WAF issue and we though it would be a good topic to present somewhere – the pros and cons of WAFs vs [...]

]]> By: Armando Romeo http://www.mikeandrews.com/2008/06/19/vawaf-thats-hot/comment-page-1/#comment-202 Armando Romeo Tue, 24 Jun 2008 20:50:35 +0000 http://www.mikeandrews.com/2008/06/19/vawaf-thats-hot/#comment-202 <cite>If everything were patched, configured securely, and had updates applied to them immediately (forgetting for the moment zero-days and non-published vulns), then they wouldn’t be vulnerable right? It certainly would keep everyone on their toes, but I don’t think I know one person that would recommend that approach and I think we are in exactly that position with webapps today. </cite> Mike, I think you're missing one point here or maybe you forgot to mention: network firewalls deal with a fixed pattern that is network protocols. I know what protocols/services can be of "interest" to a hacker and I can easily protect them. Firewalls usefulness certainly depends upon who writes the rules but they can't be compared to WAF's as they have to defend from different kind of threats. Web applications have some degree of uniqueness (you must know all of its parts if you don't want to stick to a permit all). Attacks can be encoded. Some certain kind of attacks can't even be detected (CSRF to name one). So what security are WAF vendors giving? Andre Gironda has published a <a href="http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/" rel="nofollow">nice post about it today</a>. WAF surely can help if you find a vulnerability in the middle of the night as you say. But it shouldn't be called security. It's a misbelief being sold not real long-term security. Customers (companies) are not always educated to understand this difference. <cite>Is there a market for VA+WAF - I’m sure there is - it addresses a need (or pain-point) that exists out there. </cite> That market has a name. Three letters, starts with P and ends with I. ;) Keep the great job up, Mike If everything were patched, configured securely, and had updates applied to them immediately (forgetting for the moment zero-days and non-published vulns), then they wouldn’t be vulnerable right? It certainly would keep everyone on their toes, but I don’t think I know one person that would recommend that approach and I think we are in exactly that position with webapps today.

Mike, I think you’re missing one point here or maybe you forgot to mention: network firewalls deal with a fixed pattern that is network protocols. I know what protocols/services can be of “interest” to a hacker and I can easily protect them. Firewalls usefulness certainly depends upon who writes the rules but they can’t be compared to WAF’s as they have to defend from different kind of threats. Web applications have some degree of uniqueness (you must know all of its parts if you don’t want to stick to a permit all). Attacks can be encoded. Some certain kind of attacks can’t even be detected (CSRF to name one).

So what security are WAF vendors giving? Andre Gironda has published a nice post about it today.
WAF surely can help if you find a vulnerability in the middle of the night as you say. But it shouldn’t be called security. It’s a misbelief being sold not real long-term security. Customers (companies) are not always educated to understand this difference.

Is there a market for VA+WAF – I’m sure there is – it addresses a need (or pain-point) that exists out there.

That market has a name. Three letters, starts with P and ends with I. ;)

Keep the great job up, Mike

]]>