WebApp Sec mailing list archives
RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
From: "sankalpa h" <sankalpah () VenueAdv com>
Date: Thu, 17 Jan 2008 10:07:44 -0500
Why I am receiving these emails? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ofer Shezaf Sent: Wednesday, January 16, 2008 11:49 AM To: 'Henry Troup'; 'Ivan Ristic'; 'B Snake' Cc: webappsec () securityfocus com Subject: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? You are referring to a certain WAF technology, not to WAFs in general. A WAF should certainly not block a single quote by default. WAFs have gone a long way in the 10 years they exist. I personally believe that real time app sec controls are absolutely necessarily to protect web applications. If the technology available at the time you looked into it was not good enough, it might be good enough today, and if still not suitable for a specific application today, it will be tomorrow. ~ Ofer From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Henry Troup Sent: Sunday, January 13, 2008 7:03 PM To: Ivan Ristic; B Snake Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? For a while, I had the unpleasant experience of having a customer-support forum behind a WAF set for certain kinds of blocking. The result was that single quotes - such as "I can't make this work" - got postings rejected. Now obviously, that's the kind of thing you want to configure out. But until you do, it's absolutely painful and embarassing. Henry Troup htroup () acm org ----- Original Message ----- From: "Ivan Ristic" <ivan.ristic () gmail com> To: "B Snake" <bsnak3 () gmail com> Cc: <websecurity () webappsec org>; <webappsec () securityfocus com> Sent: Sunday, January 13, 2008 4:54 AM Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
On Jan 12, 2008 3:55 PM, B Snake <bsnak3 () gmail com> wrote:It seems like 90+% of companies that implement WAFs deploy them in listening-only mode and don't do any blocking for fear of false positives cutting off legitimate user activity.
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- <Possible follow-ups>
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ivan Ristic (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 16)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? sankalpa h (Jan 20)