IDS mailing list archives
Re: Majorly OT IDS vs Application Proxy Firewall
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Tue, 28 Oct 2008 15:38:09 -0700
First off, the WAF market is clearly taking off. Virtually every large organization I know of is purchasing them, or has and is going to purchase more if they work. I have heard market forecasts as low as 180m but I think that is naive as I think these things could be a huge hit in Asia, especially Japan. more inline: On Mon, Oct 27, 2008 at 3:54 PM, alfredhuger () winterhope com <alfredhuger () winterhope com> wrote:
Arian,
[...]
Is it too much to ask you to be polite when delivering your message? The authors of much of the code you disparaged read this forum. Your posts are dead on so I would be willing to bet you'll have more influence by modifying your delivery.
I cannot imagine or empathize with your depth of experience on the subject of security mailing lists. Thank you for clarifying that SF does not rely on ad revenue. Mistaken assumption on my part. As for the rest, well... I write for the potential consumers of said products. I do not write for the feelings of the developers of poorly conceived or executed products, nor for the feelings of those that are disingenuously market their products and fail to deliver features that the consumer was told will be provided. I completely lack empathy here with any one reading this list involved with crappy products. Pandering to their feelings just ain't in me. As a once naive web dev and ecommerce guy who gut sucked into security -- I have been burned by expensive products in infosec that often simply did not work. I was forced to learn infosec by crappy products and "security engineers" that did not understand them and/or could not make them work. The quality of the average "security engineer/consultant" until recently has been very low IMO. Green field, low bar. I have also worked on products, shipped products, done security research on other's products, the whole spectrum. I get it. I still see little use for Citrix or McAfee in the web/software security space, and I do not see a need to couch my observations in mushmouth, milk-toast verbiage. I mean I like the folks over at Citrix fine enough. I'm sure they're all swell people. Gosh, it's been about what, 10 years now Citrix (?) since I repeatedly attempted to report vulns in your nFuse alpha/beta product you asked me to test. And you ranged from apathetic to hostile about the security defects in nFuse. That was probably 1998 or 1999 though way before software security was a feature. Then enter the Teros folks. What a camp of buffoonery. Early on I really thought the product had promise, and it was one of the better WAFs out of the box circa 2003. The problem with Teros is that the whole organization, marketing and sales, oozed duplicity. I think it is clear to anyone watching Scanalert and Intrushield in the marketplace that McAfee does not take web app security seriously today. They are peddling solutions with claims that simply cannot be justified or supported. I have contempt for this so why be nice? If McAfee's solutions delivery changes tomorrow, cool. I'll hang my hat on the past and move on. When I see weak solutions stretching the rubber band between marketing myth and product reality to the breaking point.... I do not know if a given vendor is simply out to make a quick buck in this space, or is more innocently ignorant of their failures, or perhaps well-meaning but incompetent. For this purpose I do not care about intention. Outcome is reality. I am sure this frustration is not unique to the infosec product space. The battles between Oracle, Informix, and DB2 for the last 10 years have much of the same detritus. Yet whilst many customers were gagged by NDA from those vendors, they at least were able to evaluate a factual reality, be it performance/load tests or scaling so they could decide between the DBs using some facts. We really do not have much of that in the web app/software security industry today, unfortunately, so folks like me that have used this stuff in the trenches need to speak out clearly. And then the final fact remains that I find myself very amusing, and whether I am bashing Citrix or whatever I will always try to amuse myself in doing so. If you don't like my humor that's fine too. We're not dating. We don't have to hold hands. Cheers folks; I do think the original subject is a good one for us to keep hammering on, -- -- Arian J. Evans. Software. Security. Stuff. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Majorly OT IDS vs Application Proxy Firewall Arian J. Evans (Oct 29)