WebApp Sec mailing list archives
Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
From: "Ryan Barnett" <rcbarnett () gmail com>
Date: Sun, 13 Jan 2008 16:42:05 -0500
On Jan 12, 2008 5:32 PM, Andre Gironda <andreg () gmail com> wrote:
Deploying WAFs at all - Waste of Money? Answer: Not if you just made a check-mark on a PCI-DSS audit
Since you mentioned PCI... I did a recent Blog post on section 6.6 (http://www.modsecurity.org/blog/archives/2007/12/pci_requirement.html ) and it appears to me that the spirit of this section is to implement some form of remediation to help "prevent" web-based attacks. If you look at the audit procedure document ( https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf) it essentially states that either option you chose for 6.6 has to result in prevention of attacks. If you choose the code review route, then you also must have actually fixed the code as well. Just showing a PCI auditor a list of vulns identified by a code review, code scanner or web app scanner will not suffice. The auditor is suppose to obtain proof the the code has also been fixed. If not, then I don't see how you could get a "check mark" here and pass 6.6. On the flip side, if you chose the WAF route, it also states that it needs to be "preventing" attacks which seems to me to mean that it has to be be doing some form of blocking. The details of exactly what must be blocked is a bit hazy (although I would assume that you must be blocking both SQL Injection and XSS vulns/attacks as those two categories are the only 2 high vulns that would result if a failure of other sections of PCI such as 6.5). I guess that this topic is slightly ahead of the curve since 6.6 is considered "Best Practice" right now, however this will be changing in abount 5 months... Are there any PCI auditors on this list that care to comment on this issue? -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- <Possible follow-ups>
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ivan Ristic (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 16)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? sankalpa h (Jan 20)