[WEB SECURITY] PCI 6.6 Questions

Yuval Ben-Itzhak yuvalben at netvision.net.il
Tue May 29 14:19:20 EDT 2007 


Back in 2002 KaVaDo implemented a technology where the Scanner repository
can be use to either configure the WAF or other security products. It helped
to easily configure the WAF without really understanding what WAF is about
and how strict is the security policy  (back in 2002, this was the case in
the market :-)

I filed a patent appliance on this on 2002: "Method for the automatic
setting and updating of a security policy" Application# 20050038881
I really do not know if Protegrity is still using it.

Yuval.
  -----Original Message-----
  From: Jeff Forristal [mailto:jforristal at spidynamics.com]
  Sent: Tuesday, May 29, 2007 3:06 PM
  To: Ofer Shezaf
  Cc: WASC Forum
  Subject: RE: [WEB SECURITY] PCI 6.6 Questions


  Thanks for weighing in Ofer.  You bring up some really good points.  I
just wanted to make two small comments:



  > Further research and technological advancement in each of the three
technologies would for sure help. I am always amazed

  > at how little independent research is done on  application scanners, web
application firewalls



  Nessus?  Nikto?  Whisker?  Mod_security (before Breach)?  There has been
notable open-source efforts into researching application scanning and
automation, webapp firewalls, etc.  And some of them were so successful,
they moved on to official commercial support.



  > Another idea is to make the different tools work together. Neatly every
combination would greatly enhance security. A

  > scanner could create virtual patching rules for a WAF



  KaVaDo did this years back.  You could feed ScanDo scanner output into
InterDo WAF, to help configure it.  But I don't know the current state of
things (after KaVaDo was purchased by Protegrity).



  - J



  From: Ofer Shezaf [mailto:OferS at Breach.com]
  Sent: Monday, May 28, 2007 8:28 AM
  To: Boaz Shunami; Bubba Gump; Jeff Forristal
  Cc: webappsec @OWASP; WASC Forum; webappsec at securityfocus.com
  Subject: RE: [WEB SECURITY] PCI 6.6 Questions



  I would like to add a different dimension to the WAF vs. black-box vs.
code review discussion.



  It is interesting to note that on the network and system layer nobody
questions today the need to provide all layers of security: system hardening
("Code review"), system and network scanning ("black-box testing") and
firewalling ("WAFing"). I think that the same is true to the application
layer, and good application security requires all the security layers above.
Each layer has its pros and cons (heavily discussed in this thread),
compensating the others shortcoming and offering better security.



  So why are we still repeatedly need to go through this heated discussion?
As usual, it is a question of economics. While I think that the risk
associated with application security is already understood today, the
countermeasures are too expensive, forcing the customers to choose just one
of them, and in many cases implement even this one only partially.



  The key to having more secure applications is therefore more automation.
As long as security is charged by the hour, it is too expensive for the
masses. Static code analyzers, Application Scanners and Learning Web
Application Firewalls all provide automation which is maturing and becoming
more useful, but still requires too much manual work to be a commodity.



  How can we help in making these solutions a commodity?

  Further research and technological advancement in each of the three
technologies would for sure help. I am always amazed at how little
independent research is done on  application scanners, web application
firewalls and web intrusion detection (at least static analyzers receive
more academic attention). After all it is always sexier to research a new
and thrilling exploit than a countermeasure. Just look at the programs of
OWASP Europe, BlackHat and the like, and see how many hacking talked there
are and how little (technical) countermeasures talks.



  Another idea is to make the different tools work together. Neatly every
combination would greatly enhance security. A scanner could create virtual
patching rules for a WAF. A learning WAF can provide a profile for a scanner
to serve as a starting point to the fuzzer. Both can point a code analyzer
for the problematic inputs of an application. And so on.



  ~ Ofer Shezaf

  ModSecurity Core Rules project leader

  CTO, Breach Security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070529/29b12103/attachment.html>

More information about the websecurity mailing list