WebApp Sec mailing list archives

RE: Web Application Security

From: Ofer Shezaf <ofers () Breach com>
Date: Wed, 12 Mar 2008 08:12:26 +0200

Zack wrote:

The other option from a Web Application Firewall is to
use a black box tester and look for vulnerabilities
within your Web application. I personally think that
is a better approach since you are "fixing" the source
of potential vulnerabilities rather than "hiding" them
behind a firewall.

Are you sure that by black box testing you actually fix the vulnerabilities?
The last time I checked, vulnerability scanners did not claim to modify the
code in any way. I assume you would agree that scanners just point to
vulnerabilities requiring the programmers to fix them. If your web site
operator takes down the site the moment a vulnerability is found and your
programmers fix it within a reasonable time frame to keep the site down (3
minutes?) you are fine with scanners. However I assume that your situation
is different.
While I agree that using scanners to empower programmers to make their code
better, I don't think it is a one stop solution for protection your
application. Application firewalls will enable you to dynamically patch
those vulnerabilities until the programmers come around to fixing them and
provide protection from zero-day attacks until the next time you run your
scanners. My colleague Ivan Ristic wrote just yesterday a blob entry
describing use cases for WAFs:
http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html.
~ Ofer

Ofer Shezaf
Work: ofers () breach com, +972-9-9560036 #212
Personal: ofer () shezaf com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be
considered a crucial phase in the development of any web application. What methodology should be followed? What tools
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Web Application Security mahendra_yn (Jan 25)
- Re: Web Application Security Javier Fernandez-Sanguino (Mar 10)
  - Re: Web Application Security Zack Peters (Mar 11)
    - RE: Web Application Security Jayaraman, Anand X. (Mar 11)
    - RE: Web Application Security Ofer Shezaf (Mar 12)