Darkreading: compliance

[jms at bughunter.ca (J. M. Seitz)]

> For many shops, having another type of firewall could cost 
> millions whereas putting tools in the hands of developers may 
> actually be cheaper. We as a community may be better served 
> by encouraging application firewalls and letting the 
> financial model for complying work in our favor...

I definitely agree, and I strongly disagree with Gary that application
firewalls are "hair brained" solutions. It's always my feeling, and I try to
put this into practice in my current role, is that security is a multi-layer
approach. From secure coding practice in development, proper QA cycle and
regression testing, deployment security touchpoints, and finally adding the
extra layer on the top is putting application layer firewalls in place,
which if we ever have a 0-day style vulnerability it's very quick to throw
in a rule to protect it, and begin working on a patch.

Now I know that your consulting business relies on you promoting "security
from the inside" but are you saying that application firewalls are pointless
and we should stop using them? Or are you saying that it's rediculous that
we ever got to the point where applications are so insecure that we need a
transaction-per-transaction inspection mechanism to make sure the bad guys
aren't getting us?

You may want to clarify this a little bit for us sec-newbs....

JS