[WEB SECURITY] WebScurity ->was-> Application Security Hacking Videos

Brent Johnson brent at fsebg.com
Fri Jun 2 15:16:39 EDT 2006

Well, I just *feel* more secure having an application firewall in place.


Is that the answer you were expecting? 


Because we started off with an application security audit that revealed our 

Vulnerabilities, prior to our the FDIC audit, auditor results were 

independently confirmed by a SpiDynamics WebInspect vulnerability scan - 

Which found a total of 7 critical, 5 high, and 20-something medium 



Policy states that if a site has a critical vulnerability, it needs to be 

repaired within 24 hours or the site is taken off line, per FDIC 

regulation... that's if the FDIC finds it.  We had a head start by doing our

own scans prior to the FDIC audit.


We put the webApp.secure app firewall in place and had the auditor re-test, 

then conducted the WebInspect, which came back with 0 critical, 0 high, and 

4 medium (which are confirmed as false positives). 

The FDIC came in, performed their audit and confirmed that everything is in 

top shape.


It took 1 day to get 5 installations done, and a total of 24 hours to go 

from insecure, to secure.


I'm sold on Application Firewalls, specifically webApp.secure.  There is no 

question in my mind or the minds of those that have reviewed these servers 

that they are completely secure.


Brent Johnson, CIO

First Southeast Banc Group


-----Original Message-----
From: Ivan Ristic [mailto:ivan.ristic at gmail.com] 
Sent: Thursday, June 01, 2006 3:13 PM
To: Brent Johnson
Cc: websecurity at webappsec.org; pauls at utdallas.edu;
arian.evans at anachronic.com
Subject: Re: [WEB SECURITY] WebScurity ->was-> Application Security Hacking


On 6/1/06, Brent Johnson <brent at fsebg.com> wrote:

> I'd like to chime in on this as a user of the WebScurity firewall.


> ...


> Per their recommendations, we had the web server listen on,

> and put the firewall app on the network interface on port 80.  The

> installed quick, and its doing its job.  It has been installed for a few

> months and we haven't had to touch it.


> ...


> When I originally inquired on the list, I was told that what I was looking

> for wasn't possible (easy to install, easy to configure, set & forget, BWA

> HA HA HA!)...  well, that's what I got, exactly what I wanted...


What you got then was a good professional response. Personally I don't

believe a "set & forget" is a meaningful deployment strategy for a web

application firewall. But I'd be interested to learn more about your

experiences. For example, why do you believe that you are more secure

now than before?



Ivan Ristic, Technical Director

Thinking Stone, http://www.thinkingstone.com

ModSecurity: Open source Web Application Firewall



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060602/a4eed369/attachment.html>

More information about the websecurity mailing list