[WEB SECURITY] More Questions Than Answers
Ofer Shezaf
Ofer.Shezaf at breach.com
Thu Feb 9 08:24:43 EST 2006
Hi Maxim & Brent,
While my "purist" reaction is that application firewalls should not
replace patching, I find that this is often the case and is a very good
reason for buying application firewalls.
Applications are not perfect and their security problems are discovered
over time. But what do you do when vulnerabilities are discovered,
whether due to a breach, an audit or by a customer?
Modifying the application takes time and on the other hand, if it has
any importance, you cannot just take it offline for the day, week or
month (or months) it would take to fix it. My experience shows that even
initial security testing of applications is done too late for fixing to
be easy.
I would say that this alone is worth using a WAF, and if you use the WAF
only for that, it would also be very easy to maintain.
~ Ofer
> -----Original Message-----
> From: Maxim Kostioukov [mailto:maxim at francoudi.com]
> Sent: Monday, February 06, 2006 4:46 PM
> To: Brent Johnson; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] More Questions Than Answers
>
> Brent,
>
> I doubt that you can find an "easy to install & manage" solution to
the
> problem (indeed a bunch of problems, right?). Notice that WAFs do not
> protect against variable manipulation attacks, - attacks that require
> understanding of the business context. Moreover a WAF is not a
> substitution to application patches.
>
> In my opinion, it is reasonable to continue in both directions -
patching
> the apps and looking for a WAF. As the first step consider, for
example,
> open-source Apache mod_security: that will immediately mitigate some
of
> the issues.
>
> ...and I feel that you are facing lack of proper security policy and
> procedures in the company. Otherwise how flawy web interface may
bypass
> software contract reqs, testing and finally customer's (your bank's)
> approval? So I would not restrict the solution to the patching only...
>
> -----Original Message-----
> From: Brent Johnson [mailto:brent at fsebg.com]
> > I am the IT Manager for a small bank group, we've discovered that
> several banking web applications we're using are vulnerable to
exploits.
> > I am looking for something that would be easy to install and most
> importantly, easy to manage. Is there such a thing?
>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list