On 4/4/07, J. M. Seitz <[EMAIL PROTECTED]> wrote:
From secure coding practice in development, proper QA cycle and regression testing, deployment security touchpoints, and finally adding the extra layer on the top is putting application layer firewalls in place, which if we ever have a 0-day style vulnerability it's very quick to throw in a rule to protect it, and begin working on a patch.
Absolutely, for me the best use of WAFs is to use them to fix or mitigate known (to the web application owner) vulnerabilities. This is the place where you get maximum ROI from it. Trying to use WAFs across the board on all pages and fields works ok for simple web applications and for simple things (like detecting SQL error messages going to the user), but give it a complex app, and you will have massive and complex rules. They are also usually quite brutal in their responses since they don't allow dynamic content manipulation, they only allow binary decisions (aka 'when an attack is detect redirect to page xyz') And why don't the WAFs promote this use case more? Every time I have a 5h discussion with them (last couple OWASP conferences :) ) they tell me that their clients don't ask for it (which is not true since one of my clients (major financial institution) uses a WAF do 'mitigate' known vulnerabilities on a COTS). I think the real reason is that the current WAFs (with some uses of ModSecurity being an exception) don't have access to the state of the application (i.e. the business layer and data layer) so there are tons of vulnerabilities that they can't mitigate against. Basically in order to mitigate a vulnerability the current WAFs needs that the application gives them clues of what are valid and non-malicious requests (something that is easy on technical vulnerabilities (aka SQL Injection) but very hard for 'Business Logic Vulnerabilities' (should this user be accessing this data or making this transaction?') This is why I jokingly said ' currently WAFs don't protect against layer 7 attacks, they only protect from Layer 7 1/2 attacks :) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________