WebApp Sec mailing list archives
RE: Web Application Security
From: Ofer Shezaf <ofers () Breach com>
Date: Wed, 12 Mar 2008 08:12:26 +0200
Zack wrote:
The other option from a Web Application Firewall is to use a black box tester and look for vulnerabilities within your Web application. I personally think that is a better approach since you are "fixing" the source of potential vulnerabilities rather than "hiding" them behind a firewall.
Are you sure that by black box testing you actually fix the vulnerabilities? The last time I checked, vulnerability scanners did not claim to modify the code in any way. I assume you would agree that scanners just point to vulnerabilities requiring the programmers to fix them. If your web site operator takes down the site the moment a vulnerability is found and your programmers fix it within a reasonable time frame to keep the site down (3 minutes?) you are fine with scanners. However I assume that your situation is different. While I agree that using scanners to empower programmers to make their code better, I don't think it is a one stop solution for protection your application. Application firewalls will enable you to dynamically patch those vulnerabilities until the programmers come around to fixing them and provide protection from zero-day attacks until the next time you run your scanners. My colleague Ivan Ristic wrote just yesterday a blob entry describing use cases for WAFs: http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html. ~ Ofer Ofer Shezaf Work: ofers () breach com, +972-9-9560036 #212 Personal: ofer () shezaf com, +972-54-4431119 VP Security Research, Breach Security Chair, OWASP Israel Leader, ModSecurity Core Rule Set Project Leader, WASC Web Hacking Incidents Database Project ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Web Application Security mahendra_yn (Jan 25)
- Re: Web Application Security Javier Fernandez-Sanguino (Mar 10)
- Re: Web Application Security Zack Peters (Mar 11)
- RE: Web Application Security Jayaraman, Anand X. (Mar 11)
- RE: Web Application Security Ofer Shezaf (Mar 12)
- Re: Web Application Security Zack Peters (Mar 11)
- Re: Web Application Security Javier Fernandez-Sanguino (Mar 10)