The war on WAFs

Date June 28, 2008

Well, it looks like the war of WAFs is ON!  TS/Sci Security have done a great series of posts on the topic, the vast majority of which I whole-heartedly agree with.  I’m sure that any readers of this blog would be reading TS/Sci, but if only so I can remember myself and have a record, I’ll (badly) summarize the posts.

Week of War on WAF’s: Day 1 — Top ten reasons to wait on WAF’s - As it says on the tin, reasons to wait and not deploy a WAF.  I guess, that this is the post that I disagree with the most out of the series because of some of the items on the list, but that’s beside the point - it’s a good place to start the argument.

Week of War on WAF’s: Day 2 — A look at the past - To show that the argument against has been going on for quite some time, a copy of an email from OWASP to the Application Security Consortium (PCI) in 2004 is presented.

Week of War on WAF’s: Day 3 — Language specific - Points out that differences in how languages/frameworks (PHP, Ruby, ASP.NET, etc, etc) parse CGI variables may leave open holes.  For example, if the WAF is written in C/C++ and parses URL’s one way, the target script may parse it differently (despite what the RFC says) because of canoncalization issues.

Week of War on WAF’s: Day 4 — Closer to the code - Argues that validation should be closer to the code and that there are methods that this can easily be added (one way put forward is Aspect Oriented Programming)

Week of War on WAF’s: Day 5 — Final thoughts - Identifies some short-term alternatives to using a WAF without going through a full SDLC.

Category Posted in Uncategorized


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>