WebApp Sec mailing list archives
RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
From: Ofer Shezaf <ofers () Breach com>
Date: Sun, 13 Jan 2008 07:35:55 -0500
Locking doors is also a waste of money, after all any lock can be broken. And still we all lock doors. No WAF will solve all of your web security problems but it would certainly reduce them AND make your site more protected than the next door, which might be just what you need to keep clear. A good example would be the latest SQL injection bot (WHID 2007-82, http://www.webappsec.org/projects/whid/byid_id_2007-82.shtml). So many web sites were broken into, and by just having a default install of ModSecurity (and I am sure any other WAF), they could prevent the hack. ~ Ofer --- From: Andre Gironda [mailto:andreg () gmail com] Sent: Saturday, January 12, 2008 5:32 PM To: B Snake Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Deploying WAFs at all - Waste of Money? Answer: Not if you just made a check-mark on a PCI-DSS audit On 1/12/08, B Snake <bsnak3 () gmail com> wrote:
It seems like 90+% of companies that implement WAFs deploy them in listening-only mode and don't do any blocking for fear of false positives cutting off legitimate user activity. I'm new to WAFs and this may be a stupid question, but what security value does a WAF add if it's not doing any blocking of malicious activity? -BSnake
---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- <Possible follow-ups>
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ivan Ristic (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 16)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? sankalpa h (Jan 20)