Comments on: WAF Better Than Code Review? Not Really. http://www.veracode.com/blog/2008/04/waf-better-than-code-review-think-again/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: The State of Web Security | Mike Andrews http://www.veracode.com/blog/2008/04/waf-better-than-code-review-think-again/comment-page-1/#comment-1031 The State of Web Security | Mike Andrews Tue, 20 May 2008 23:52:36 +0000 http://www.veracode.com/blog/?p=85#comment-1031 [...] been lots of comments about this (too numerous to link to all of them, but there’s refs from these main two), [...] [...] been lots of comments about this (too numerous to link to all of them, but there’s refs from these main two), [...]

]]> By: Mike http://www.veracode.com/blog/2008/04/waf-better-than-code-review-think-again/comment-page-1/#comment-951 Mike Thu, 17 Apr 2008 06:53:46 +0000 http://www.veracode.com/blog/?p=85#comment-951 If you care about PCI compliance issues, you may want to check out http://pcianswers.com/ It's a great source for analysis, information, and review of the payment services space. If you care about PCI compliance issues, you may want to check out http://pcianswers.com/ It’s a great source for analysis, information, and review of the payment services space.

]]> By: Michael Coates http://www.veracode.com/blog/2008/04/waf-better-than-code-review-think-again/comment-page-1/#comment-948 Michael Coates Wed, 16 Apr 2008 15:18:34 +0000 http://www.veracode.com/blog/?p=85#comment-948 "Sure, the WAF can protect against some known attacks, and if you set it up the right way, it can attempt to detect and block other, unknown attacks — that is, if it’s configured aggressively enough." Yea, you nailed it there. The WAF will just go the same route as the network based firewall. Open a connection here, open up a port there, eventually the firewall is letting in much more than it is actually blocking. Unfortunately, I see the WAF going the same way. A very cautious approach will be taken to any blocking actions and once something breaks legitimate functionality it will be throttled back. This approach will not provide sufficient application security and pales in quality to a quality source code review. -Michael “Sure, the WAF can protect against some known attacks, and if you set it up the right way, it can attempt to detect and block other, unknown attacks — that is, if it’s configured aggressively enough.”

Yea, you nailed it there. The WAF will just go the same route as the network based firewall. Open a connection here, open up a port there, eventually the firewall is letting in much more than it is actually blocking.

Unfortunately, I see the WAF going the same way. A very cautious approach will be taken to any blocking actions and once something breaks legitimate functionality it will be throttled back. This approach will not provide sufficient application security and pales in quality to a quality source code review.

-Michael

]]>