[WEB SECURITY] Fwd: [SC-L] OWASP Podcast #6: WAFs

Ryan Barnett rcbarnett at gmail.com
Mon Feb 9 12:04:11 EST 2009

On Sat, Feb 7, 2009 at 4:52 AM, Martin O'Neal <martin.oneal at corsaire.com>wrote:

> WAF, WAF, WAF.  All I hear is WAF.  Why is it always WAFs that are so
> contentious?
Martin, this reply is not aimed at you.  This thread is so long that I just
had to pick one and your first sentence seem appropriate.  Every few months,
the "WAF is Crap" vs. "WAF is Awesome" debate resurfaces.  The last go
around prompted me to post this Blog entry -
http://tacticalwebappsec.blogspot.com/2008/05/whats-score-of-game.html and
it is still relevant.

The way that I look at is is that you basically have both Strategic and
Tactical security items.  Back to my Blog post, this is like when looking at
Amercian Football you have the Strategic game-week film study of
your opponent and game planning, while during the actual live game you have
Tactical In-game adjustments to actively combat what your opponent is doing
that you didn't expect.  You need to have both strategic and tactical
processes or you will never win a game.

 Secure code reviews/SDLC, vulnerability scanning/pentesting and WAFs are
not mutually exclusive (thanks PCI 6.6 for pitting these items in a zero-sum
game context...).  They all can and should be done as defense in depth
processes.  The main issue that I see people get into trouble over is when
they (security consultants, vendors/marketing or customers) promote the
concept that any one of these is the "only" thing that you should be doing.

I think that we all (webappsec folks) share in some frustration when a
customer/prospect chooses to only do one of these processes and it is not
what we are recommending.  Each of us, from our perspectives, rightfully
feel that our processes/tools help to cover items that the other ones
don't.  It ends up often being both a technical and monetary
frustration when this happens.

There a 3 main types of organizations that I typically run into with regards
to webappsec -

   - Thought Leaders - these are the ones who "get it" from a security
   perspective and they have the understanding, budget and motivation for doing
   what is right for security.
   - Compliance Driven - those that are only interested in checking a box to
   conform to a mandated standard.  They are not focused on true security.
   - Hacked - these people can no longer put their heads in the sand and
   pretend that it won't happen to them.  They are motivated but the degree to
   which they are will to change (and implement security improvements) varies.

With these groups in mind, this is where I think the contention lies with
this whole WAF debate.  Which group are you dealing with?  The first group
is going to do what is right and do code reviews, scanning and WAFs.  So,
for these customers, there really is no debate as to the value of each
approach as they are not being used as a replacement for the others.  For
the hacked group, it depends on the budget, time restraints, etc... as to
which security items they are going to fix.  As for the Compliance group -
this is the the freaking "Thunderdome" of the debate as the prospect is most
likely only going to choose 1 item to implement.

Educating prospects/customers as to the benefits of your approach/tools is
the only real thing you can do.  Ultimately, it is up to them (and the group
they are in) to decide which direction to take.

> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090209/f9e8cb17/attachment.html>

More information about the websecurity mailing list