[WEB SECURITY] WebScurity should chime in with some facts

Evans, Arian Arian.Evans at fishnetsecurity.com
Mon Jun 19 13:13:57 EDT 2006


> -----Original Message-----
> From: Brent Johnson [mailto:brent at fsebg.com] 
> I'd like to chime in on this as a user of the WebScurity firewall.
> Our bank was faced with going back to the drawing board on 
> all these web apps, or looking into an app firewall.

The value-proposition can be attractive, no doubt, in many cases...

> compared to what the dev's on this list say about it don't 
> match.  I can't imagine that they've used it.

I'm one of the most vocal commenters on this subject, and I've used it,
and about a dozen others WAFs, and based upon the uninformed, anecdotal
data spread by WAF reviews on the likes of infoworld and various security
mags, I believe most people don't know what they are doing with them. </opinion> 
> When I originally inquired on the list, I was told that what 
> I was looking for wasn't possible (easy to install, easy to configure,
> set & forget, BWA HA HA HA!)...

I in fact told you almost exactly this, minus the geek/nerd laughter.

That is because, in my experience, what you speak of is not possible.

My experience has limitations, but I am also pretty confident that I've
built interesting labs, performed in-depth tests, and spent more time
with both the automated testing tools and WAFs than most folks I talk to,
and while *I certainly* make mistakes through errors of knowledge, I
have yet to see "auto-fix" that actually "works".

I have no idea what "Criticals" and "Highs" you found with WI, and this
thread probably isn't the place for in-depth analysis of various scanners,
their tests, and the "cheats* that a WAF could implement to make many web
scanners report "zero" by merely implementing one of several techniques.

I also have no idea what the skill level of the auditor/scanner users
were. I would love more data/detail from yourself, webscurity, etc.,
about the kind and nature of issues, and how the WAF effectively solved
them....though I realize this is probably not data you want to
publish on the Internet. </catch_22>

>  well, that's what I got, exactly what I wanted...

That, I guess, is the important point.

I'm probably done testing scanners at this point. Sounds like the next
target needs to be the WAFs. There's some interesting and varied approaches
out there, and no one besides Aspect's F5 review, has done very in-depth
analysis of these things and published the results.


The Web Security Mailing List

The Web Security Mailing List Archives
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list