Re: Web application monitoring, web application scanning products, and web application firewalls

[Ozzie Paez <ozpaez () SPRYNET COM>]

Jason,
Application firewalls have a different purpose in that they focus on traffic
at the application layer.  They will not protect your organization from
poorly designed applications or poorly configured application servers.  Web
enabled applications are susceptible to a variety of attacks and testing
them thoroughly is certainly a good practice.  When it comes to testing
them, however, you have to consider whether you want the developer to do the
testing or whether to test the application in as closed to an operational
environment as possible using your staff or an independent outfit.  In
general, if the developer has a well established software quality assurance
organization/program that tests to specific standards, then relying on the
vendor and spot-checking the results can work.  My experience, however, is
that software projects are too often under funded and over-featured, which
translates into reducing overheads such as programmatic SQA and testing to
spec.  So, you may want to have the capabilities in-house or hire an outside
entity to independently test applications for potential vulnerabilities.

One last thing, there are always contractual and licensing issues associated
with testing someone else's software, reporting problems and
vulnerabilities, rating problems and vulnerabilities, responding, etc.  So,
it is important to define a strategy and then integrate the implications
into your software development, procurement and maintenance contracts.

Hope it helps,

Ozzie Paez
SSE/CISSP
303-332-5363


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Youngquist, Jason R.
Sent: Monday, May 19, 2008 12:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Web application monitoring, web application scanning
products, and web application firewalls


As many of you know, web application attacks such as SQL injection have
been on the rise over the past few years, and more recently, automated
SQL attacks infecting numerous websites have been making the news.  For
example, headlines from isc.sans.org "SQL Injection Worm on the Loose",
"2117966.net-- mass ASP/SQL injection", "Hundreds of thousands of SQL
injections" etc.


So I have a few questions:
--Is there a program (commercial or free) that will monitor IIS web
server logs in real-time for web-vulnerability attacks (and hopefully be
smart enough to determine if the attack was successful or not) and then
send an alert via email/SMS/pager?
--web application vulnerability software vs. a web application firewall
- I've looked at web application vulnerability software and agree that
the best thing to do is to be able to fix vulnerable code, but there may
be 3rd party web-based applications which are vulnerable and one would
have to get the company to patch/fix the issue(s) which may/may not
happen.  I've heard of web application firewall technology where an
appliance sits in front of your web server and monitors for web-based
attacks and then drops/blocks the attacker's connection.
        --Does anyone have any experience with web application firewall
technology, and if so, how well does it work?  Any recommendations on
products?
        --If you had money to spend and could get either a web
vulnerability scanner or a web application firewall, which one would you
purchase and why?  I      see pros/cons with both.


Thanks.
Jason Youngquist
Network Engineer - Security
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu