Re: Majorly OT IDS vs Application Proxy Firewall

["Arian J. Evans" <arian.evans () anachronic com>]

First off, the WAF market is clearly taking off.

Virtually every large organization I know of
is purchasing them, or has and is going to
purchase more if they work.

I have heard market forecasts as low as 180m
but I think that is naive as I think these things
could be a huge hit in Asia, especially Japan.

more inline:

On Mon, Oct 27, 2008 at 3:54 PM, alfredhuger () winterhope com
<alfredhuger () winterhope com> wrote:
> Arian,
[...]

> Is it too much to ask you to be polite when delivering your message?
> The authors of much of the code you disparaged read this forum. Your
> posts are dead on so I would be willing to bet you'll have more
> influence by modifying your delivery.


I cannot imagine or empathize with your depth of
experience on the subject of security mailing lists.

Thank you for clarifying that SF does not rely on ad
revenue. Mistaken assumption on my part.

As for the rest, well...

I write for the potential consumers of said products.

I do not write for the feelings of the developers of
poorly conceived or executed products, nor for
the feelings of those that are disingenuously
market their products and fail to deliver features
that the consumer was told will be provided.

I completely lack empathy here with any one
reading this list involved with crappy products.
Pandering to their feelings just ain't in me.

As a once naive web dev and ecommerce guy
who gut sucked into security -- I have been burned
by expensive products in infosec that often
simply did not work. I was forced to learn infosec
by crappy products and "security engineers"
that did not understand them and/or could not
make them work. The quality of the average
"security engineer/consultant" until recently
has been very low IMO. Green field, low bar.

I have also worked on products, shipped
products, done security research on other's
products, the whole spectrum. I get it.

I still see little use for Citrix or McAfee in
the web/software security space, and I do
not see a need to couch my observations
in mushmouth, milk-toast verbiage.

I mean I like the folks over at Citrix fine
enough. I'm sure they're all swell people.
Gosh, it's been about what, 10 years now Citrix
(?) since I repeatedly attempted to report vulns
in your nFuse alpha/beta product you asked
me to test. And you ranged from apathetic to
hostile about the security defects in nFuse.
That was probably 1998 or 1999 though
way before software security was a feature.

Then enter the Teros folks. What a camp of
buffoonery. Early on I really thought the product
had promise, and it was one of the better WAFs
out of the box circa 2003. The problem with
Teros is that the whole organization, marketing
and sales, oozed duplicity.

I think it is clear to anyone watching Scanalert
and Intrushield in the marketplace that McAfee
does not take web app security seriously today.
They are peddling solutions with claims that
simply cannot be justified or supported. I have
contempt for this so why be nice?

If McAfee's solutions delivery changes tomorrow,
cool. I'll hang my hat on the past and move on.

When I see weak solutions stretching the rubber
band between marketing myth and product reality
to the breaking point....

I do not know if a given vendor is simply out
to make a quick buck in this space, or is more
innocently ignorant of their failures, or perhaps
well-meaning but incompetent.

For this purpose I do not care about intention.
Outcome is reality.

I am sure this frustration is not unique to the
infosec product space. The battles between
Oracle, Informix, and DB2 for the last 10 years
have much of the same detritus. Yet whilst
many customers were gagged by NDA from
those vendors, they at least were able to
evaluate a factual reality, be it performance/load
tests or scaling so they could decide between
the DBs using some facts.

We really do not have much of that in the
web app/software security industry today,
unfortunately, so folks like me that have
used this stuff in the trenches need to
speak out clearly.

And then the final fact remains that I find
myself very amusing, and whether I am
bashing Citrix or whatever I will always
try to amuse myself in doing so.

If you don't like my humor that's fine too.
We're not dating. We don't have to hold hands.

Cheers folks; I do think the original subject
is a good one for us to keep hammering on,

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------