/apr 15, 2008

WAF Better Than Code Review? Not Really.

By Chris Eng

I was just reading an article discussing the timeframe for upcoming revisions to the PCI-DSS. Nothing quite so exciting as reading about a compliance roadmap, right? This article reminded us about PCI Section 6.6 becoming mandatory in June 2008, with additional guidance and clarification coming in May (hey, a whole month to prepare!). As a refresher, 6.6 says that web applications must be reviewed by a third party for security vulnerabilities, or a web application firewall (WAF) must be installed. Anyway, in this article, PCI-DSS General Manager Bob Russo makes the following statement:

"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews. "So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do. That clarification is coming; that's been the biggest question."

Really? The WAF is the "best thing to do?" Maybe he meant to say "cheapest" or "quickest," but how is a WAF better than fixing the root cause of vulnerabilities? I don't deny that a WAF can be valuable to a layered security approach. For example, if I need to quickly plug a hole in my web app, I can configure the WAF to block it, thereby buying time for the development team to fix the problem. Instead of having to fix the bug immediately, it can be rolled into the next release cycle, with the WAF protecting the site in the interim. Sure, the WAF can protect against some known attacks, and if you set it up the right way, it can attempt to detect and block other, unknown attacks -- that is, if it's configured aggressively enough. Except very few companies will actually do that. Nobody wants to risk the WAF confusing a legitimate request with an attempted attack and subsequently blocking user traffic. This is why I argued, a while back, that a WAF really should be considered a compensating control since it is more of a band-aid than a best practice solution. That would give the requirement a lot more credibility rather than giving enterprises an easy way out.

Related Posts

By Chris Eng

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE's CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.