[WEB SECURITY] WebScurity ->was-> Application Security Hacking Videos
brent at fsebg.com
Fri Jun 2 15:16:39 EDT 2006
Well, I just *feel* more secure having an application firewall in place.
Is that the answer you were expecting?
Because we started off with an application security audit that revealed our
Vulnerabilities, prior to our the FDIC audit, auditor results were
independently confirmed by a SpiDynamics WebInspect vulnerability scan -
Which found a total of 7 critical, 5 high, and 20-something medium
Policy states that if a site has a critical vulnerability, it needs to be
repaired within 24 hours or the site is taken off line, per FDIC
regulation... that's if the FDIC finds it. We had a head start by doing our
own scans prior to the FDIC audit.
We put the webApp.secure app firewall in place and had the auditor re-test,
then conducted the WebInspect, which came back with 0 critical, 0 high, and
4 medium (which are confirmed as false positives).
The FDIC came in, performed their audit and confirmed that everything is in
It took 1 day to get 5 installations done, and a total of 24 hours to go
from insecure, to secure.
I'm sold on Application Firewalls, specifically webApp.secure. There is no
question in my mind or the minds of those that have reviewed these servers
that they are completely secure.
Brent Johnson, CIO
First Southeast Banc Group
From: Ivan Ristic [mailto:ivan.ristic at gmail.com]
Sent: Thursday, June 01, 2006 3:13 PM
To: Brent Johnson
Cc: websecurity at webappsec.org; pauls at utdallas.edu;
arian.evans at anachronic.com
Subject: Re: [WEB SECURITY] WebScurity ->was-> Application Security Hacking
On 6/1/06, Brent Johnson <brent at fsebg.com> wrote:
> I'd like to chime in on this as a user of the WebScurity firewall.
> Per their recommendations, we had the web server listen on 127.0.0.1:8080,
> and put the firewall app on the network interface on port 80. The
> installed quick, and its doing its job. It has been installed for a few
> months and we haven't had to touch it.
> When I originally inquired on the list, I was told that what I was looking
> for wasn't possible (easy to install, easy to configure, set & forget, BWA
> HA HA HA!)... well, that's what I got, exactly what I wanted...
What you got then was a good professional response. Personally I don't
believe a "set & forget" is a meaningful deployment strategy for a web
application firewall. But I'd be interested to learn more about your
experiences. For example, why do you believe that you are more secure
now than before?
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity