RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?

["sankalpa h" <sankalpah () VenueAdv com>]

Why I am receiving these emails?

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ofer Shezaf
Sent: Wednesday, January 16, 2008 11:49 AM
To: 'Henry Troup'; 'Ivan Ristic'; 'B Snake'
Cc: webappsec () securityfocus com
Subject: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?

You are referring to a certain WAF technology, not to WAFs in general. A WAF
should certainly not block a single quote by default. 

WAFs have gone a long way in the 10 years they exist. I personally believe
that real time app sec controls are absolutely necessarily to protect web
applications. If the technology available at the time you looked into it was
not good enough, it might be good enough today, and if still not suitable
for a specific application today, it will be tomorrow.

~ Ofer

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Henry Troup
Sent: Sunday, January 13, 2008 7:03 PM
To: Ivan Ristic; B Snake
Cc: websecurity () webappsec org; webappsec () securityfocus com
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?

For a while, I had the unpleasant experience of having a customer-support
forum behind a WAF set for certain kinds of blocking.  The result was that
single quotes - such as "I can't make this work" - got postings rejected.
Now obviously, that's the kind of thing you want to configure out.  But
until you do, it's absolutely painful and embarassing.

Henry Troup
htroup () acm org


----- Original Message -----
From: "Ivan Ristic" <ivan.ristic () gmail com>
To: "B Snake" <bsnak3 () gmail com>
Cc: <websecurity () webappsec org>; <webappsec () securityfocus com>
Sent: Sunday, January 13, 2008 4:54 AM
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?


> On Jan 12, 2008 3:55 PM, B Snake <bsnak3 () gmail com> wrote:
> > It seems like 90+% of companies that implement WAFs deploy them in
> > listening-only mode and don't do any blocking for fear of false positives
> > cutting off legitimate user activity.


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------