[WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs

Andre Gironda andreg at gmail.com
Fri Feb 6 17:38:37 EST 2009 

On Fri, Feb 6, 2009 at 11:21 AM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> BTW -- In this podcast you will find a glaringly apparent
> anti-WAF bias

sounds like arian didn't listen to the podcast, but is merely making
judgments based on who was in the podcast.

> The anti-WAF bias in the podcast is, amusingly, for the
> wrong reasons IMO, and shows an utter lack of experience
> or understanding of business needs/realities surrounding
> "secure code" and WAFs

yes, allow me to restate the fact that arian didn't listen to the
podcast.  all of the experiences and understanding of business needs /
reality was adddressed in the podcast by each of the speakers.  in
fact, i think this was the goal of the podcast.

> WAFs *are* in a flux right now.

again, arian must have not listened to the podcast, especially the
parts about va+waf and va+waf+sca.

> They seem to work well on simple apps for binary syntax
> vulns (SQLi or not). They struggle on complex applications,
> particularly internationalized software, but mostly due to
> implementation issues (charsets, regional encoding support).

actually, arian must not have listened to particular section of the
podcast.  maybe he listened to the intro.  i think a lot was said
about encoding by Jim Manico and myself.  i made specific reference to
Microsoft SRE.

> They should work even better for many business logic vulns,
> but they don't (again due to implementation and usability
> limitations). Most folks I talk too that have been using WAFs
> for 1-2+ years are openly aware that they cannot protect
> simple business logic issues without explicit configuration
> and do not have the time to find and configure for things that
> the WAFs *could* easily be protecting.

well i guess arian missed the part about ModSecurity and WebGoat.  he
probably didn't listen to Podcast #2 either.

> There are only three vendors that make up 95% of the market
> I run into, and for three different (specific) reasons.

if arian is talking about F5, Imperva, and Citrix, then I believe he
is a sad case of following the security product industry too closely.
are you taking any kickbacks, arian?  got some friends-and-family
stock?

> The community over @ SC-L seem to have their heads in
> the sand about what businesses are really doing, and going
> to continue doing to "secure their code".

hahahahhahahaaha.  yes, the people on the secure coding list have no
idea what they are talking about.  good one.

> We should get some real-world WAFness going on here,
> or on Joe's website. And another opportunity:
>
> http://en.wikipedia.org/wiki/Web_application_firewall

we welcome a retort.  perhaps you'd like to join the OWASP Podcast for an hour?

linking to Wikipedia is probably the saddest thing i've ever seen you
do.  this is really going to hurt your credibility.  i believe that
marketing people know how to use Wikipedia and sometimes it's their
day-job to just make sure Wikipedia has a product-slant/bias.

> Where are the "Notes from the Field" from those of
> you working with them?

hrmn guess you didn't listen to the podcast.

> Are we all going to let the software-purist-tautology
> crowd define the solutions out of the problem for us? :)

well, gosh, i would hope so.  isn't everything we do made of software?
 didn't network security fail?  didn't product-based security fail?
didn't compliance-drive security fail?

dre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list