[WEB SECURITY] thoughts on WAF deployment options?

Ivan Ristic ivan.ristic at gmail.com
Tue Apr 22 17:57:19 EDT 2008


On Tue, Apr 22, 2008 at 9:58 PM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> > One correction - Breach's WebDefend is out of line (you had it in the
>  >  inline transparent bridge group).
>
> ...
>
>  btw// I hear a lot of *talk* about Modsecurity, but I don't know anyone
>  who actually runs it (another topic of discussion).

I am guessing that, in the types of environment you are involved with,
people want to have a box to put on their network. (It's a perfectly
reasonable thing to ask for, by the way.) ModSecurity is not a
product, it's a toolkit. To deploy ModSecurity, you need to get
through the steps of getting some hardware, installing Apache, adding
ModSecurity and, finally, dealing with the configuration. We also kind
of force you to think about your configuration. I am happy for people
to have to do this, because it helps their understanding of the web
application security problem. My primary concern has always been to
enable those who want to be secure to be secure.

However, in supporting ModSecurity over the years, I have come to
realise that there is a (large) group of people who want to be secure,
but who don't really want to understand the problem they are dealing
with. The real challenge is helping them. The experts will manage.

-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list