Why You Don’t Need a Web Application Layer Firewall
Now that PCI 6.6’s supporting documents are finally released, a lot people are jumping on the “Well, we’re getting a Web Application Firewall” bandwagon. I’ve discussed the Pros and Cons of Web Application Firewalls vs Code Reviews before, but let’s dissect one more objection in favor of WAFs and against code reviews (specifically static analysis) …
This is from Trey Ford’s blog post “Instant AppSec Alibi?”
Let’s evaluate this in light of what happens after a vulnerability is identified- application owners can do one of a couple things…
- Take the website off-line
- Revert to older code (known to be secure)
- Leave the known vulnerable code online
..
There are two huge flaws in Mr Ford’s justification of having WAFs as a layer of defense.
1) Web Application Firewalls only address HALF of the problems with web applications: the syntactic portion, otherwise known in Gary McGraw speak as “the bug parade”. The other half of the problems are design (semantic) problems, which Gary refers to as “security flaws”..
…
Full article: http://securology.blogspot.com
License: Creative Commons Attribution 3.0
Indexed in June 2008
Related Info Web
- Implementing Tagging in a Django Application
- Really? You Don’t Need A Website Disaster And Recovery Program? Why?
- Web 2.0 for the Enterprise: Where the Action Is?
- An Example Zend Framework Blog Application - Part 2: The MVC Application Architecture
- Ajax and Ruby on Rails
my motivation Although I’ve used many Web based applications that employ tagging, I’ve yet to create an application of my own with this feature. But now, I have two potential projects on the horizon that could benefit from tagging, and I’m thinking about how to best implement this, both in the database and user interface layers. .. I also see this as an...
If you answered YES to that, you're dead wrong my friend. Let me prove it to you by giving you real true-to-life examples. .. First of, what's a "Disaster and Recovery Program"? It's all about a business owner's plan of actions, systems and procedures that ensures business continuity when disruptions and disasters arise in the normal course of business. .. These disasters have ruined too...
An interesting trend has been seen recently in the trade periodicals and the analyst reports. And that is the application of Web 2.0 concepts in the enterprise. I wrote recently about the brand-new Software 2006 Industry Report from Mckinsey which says Web 2.0 in the Enterprise is the place to watch this year for new oppotunity, value, and...
.. After speaking with any number of users about getting started with a framework, I find many do not have an advanced understanding of the corner stone of a current day web application framework: the Model-View-Controller Design Pattern. So let's get over that hill right now, and before we start looking at PHP! As a bit of background, consider the traditional and...
Selecting a framework for Ajax could be considered like placing a simple layer on top of a strong framework. Ajax and another framework are considered as two separate entities that will almost not touch each other.. .. But that parallelism between Ajax and their framework is not seen when you use Ruby on Rails. The Ajax and Ruby on Rails becomes one...