> For many shops, having another type of firewall could cost > millions whereas putting tools in the hands of developers may > actually be cheaper. We as a community may be better served > by encouraging application firewalls and letting the > financial model for complying work in our favor...
I definitely agree, and I strongly disagree with Gary that application firewalls are "hair brained" solutions. It's always my feeling, and I try to put this into practice in my current role, is that security is a multi-layer approach. From secure coding practice in development, proper QA cycle and regression testing, deployment security touchpoints, and finally adding the extra layer on the top is putting application layer firewalls in place, which if we ever have a 0-day style vulnerability it's very quick to throw in a rule to protect it, and begin working on a patch. Now I know that your consulting business relies on you promoting "security from the inside" but are you saying that application firewalls are pointless and we should stop using them? Or are you saying that it's rediculous that we ever got to the point where applications are so insecure that we need a transaction-per-transaction inspection mechanism to make sure the bad guys aren't getting us? You may want to clarify this a little bit for us sec-newbs.... JS _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________