top 10 software security surprises

[ivan.ristic at gmail.com (Ivan Ristic)]

On Wed, Dec 17, 2008 at 7:48 PM, Kenneth Van Wyk <ken at krvw.com> wrote:
> On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote:
>
> Using the software security framework introduced in October (A Software
> Security Framework: Working Towards a Realistic Maturity Model
> <http://www.informit.com/articles/article.aspx?p=1271382>), we interviewed
> nine executives running top software security programs in order to gather
> real data from real programs.
>
> [snip]
>
> - "Web application firewalls are not in wide use, especially not as Web
> application firewalls. "  I can't say I'm much surprised by this one.  Even
> with PCI-DSS driving people to WAFs (or do external independent code
> reviews), I just don't often see them often.  But you go on to say, "But
> even these two didn't use them to block application attacks; they used them
> to monitor Web applications and gather data about attacks."--but you don't
> come back to this point.  One serious benefit to WAFs can be enhancing the
> ability to do monitoring, especially of legacy apps.  Adding one network
> choke point WAF can quickly add an app-level monitoring capability that few
> organizations considered when rolling the apps out in the first place.

I couldn't agree more.

There is a very strong perception that WAFs must be configured to
block, and that they are useless if they aren't. Blocking, however, is
only one of the use cases. They are:

1. HTTP Intrusion Detection and Prevention: same as IDS/IPS, but for HTTP.
2. Virtual patching, to fix the problems you know you have and give you time.
3. Learning, to gather information about your applications and help
you make sense of them.
4. Logging, for batch and back-in-time analysis.

If you are interested in this topic you may find my presentation,
Evaluation Criteria for Web Application Firewalls
(http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf)
useful.

-- 
Ivan Ristic