Educause Security Discussion mailing list archives
Re: Web application monitoring, web application scanning products, and web application firewalls
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Mon, 19 May 2008 17:18:55 -0600
Jason, Application firewalls have a different purpose in that they focus on traffic at the application layer. They will not protect your organization from poorly designed applications or poorly configured application servers. Web enabled applications are susceptible to a variety of attacks and testing them thoroughly is certainly a good practice. When it comes to testing them, however, you have to consider whether you want the developer to do the testing or whether to test the application in as closed to an operational environment as possible using your staff or an independent outfit. In general, if the developer has a well established software quality assurance organization/program that tests to specific standards, then relying on the vendor and spot-checking the results can work. My experience, however, is that software projects are too often under funded and over-featured, which translates into reducing overheads such as programmatic SQA and testing to spec. So, you may want to have the capabilities in-house or hire an outside entity to independently test applications for potential vulnerabilities. One last thing, there are always contractual and licensing issues associated with testing someone else's software, reporting problems and vulnerabilities, rating problems and vulnerabilities, responding, etc. So, it is important to define a strategy and then integrate the implications into your software development, procurement and maintenance contracts. Hope it helps, Ozzie Paez SSE/CISSP 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Youngquist, Jason R. Sent: Monday, May 19, 2008 12:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Web application monitoring, web application scanning products, and web application firewalls As many of you know, web application attacks such as SQL injection have been on the rise over the past few years, and more recently, automated SQL attacks infecting numerous websites have been making the news. For example, headlines from isc.sans.org "SQL Injection Worm on the Loose", "2117966.net-- mass ASP/SQL injection", "Hundreds of thousands of SQL injections" etc. So I have a few questions: --Is there a program (commercial or free) that will monitor IIS web server logs in real-time for web-vulnerability attacks (and hopefully be smart enough to determine if the attack was successful or not) and then send an alert via email/SMS/pager? --web application vulnerability software vs. a web application firewall - I've looked at web application vulnerability software and agree that the best thing to do is to be able to fix vulnerable code, but there may be 3rd party web-based applications which are vulnerable and one would have to get the company to patch/fix the issue(s) which may/may not happen. I've heard of web application firewall technology where an appliance sits in front of your web server and monitors for web-based attacks and then drops/blocks the attacker's connection. --Does anyone have any experience with web application firewall technology, and if so, how well does it work? Any recommendations on products? --If you had money to spend and could get either a web vulnerability scanner or a web application firewall, which one would you purchase and why? I see pros/cons with both. Thanks. Jason Youngquist Network Engineer - Security Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu
Current thread:
- Re: Web application monitoring, web application scanning products, and web application firewalls Petreski, Samuel (May 19)
- <Possible follow-ups>
- Re: Web application monitoring, web application scanning products, and web application firewalls Ozzie Paez (May 19)