[WEB SECURITY] 02/2009 WASC WAF thread

[Andre Gironda]

On Sun, Feb 8, 2009 at 12:38 PM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
> !! > The place to fix software vulnerabilities, is yes, in the software.
>
>> ok, how do you fix problems in legacy
>> software written back in the 60s last
>> century? Good luck.
>
> LOL; that was some spanky forward thinking by whoever wrote those
> applications!  30 years ahead of HTTP, they pre-empted it and coded a
> working app?  But seriously, there is a lot of legacy code around, but
> in my experience I have never seen any of it directly web enabled.  It
> is usually front-ended by something else, which is where the SDLC effort
> should be concentrated.

GML was invented in the 1960's, which was the predecessor to SGML, and
therefore also HTML.  Otherwise, everything else is certainly post-
August 6th, 1991 when Tim Berners-Lee released files describing his
idea for the World Wide Web (WWW debuts as a publicly available
service on the Internet).

The ARPANET, and therefore the predecessor to TCP/IP (and therefore
also HTTP) was also being invented in the 1960's.

I don't think Achim meant either of these, but perhaps he works in
environments where web applications front very old mainframe
applications.  Which I guess would be valid points in some
circumstances, check out:
http://www.greebo.net/2007/06/27/the-mainframe-conundrum/
http://www.greebo.net/2007/11/18/lets-talk-mainframes-for-a-bit-part-1-background-and-authc/

However, I fail to see how WAF addresses any of these issues.  If
anything, it would seek to aid an anti-WAF argument.

Cheers,
Andre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA