« JavaScript Code Flow Manipulation, and a real world example advisory - Adobe Flex 3 Dom-Based XSS | Main | Securityfocus interview with Mozilla security team »

My current stance on Web Application Firewalls

Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a general rule I do not promote using them. To provide you with some context I worked on a WAF product at SPI Dynamics (now HP) (webdefend) that ended up never being released. Part of my job was writing signatures and finding ways to abuse it.

I have warmed up to the idea that WAF's can be good in very specific situations only. I've always been the first to bark 'Don't block the problem fix the problem!' whenever WAF's had been discussed and as far as I'm concerned using a WAF generically to protect your site isn't a good security solution. The one use case for WAF's that I do see involves using a WAF to block *specific known attacks* against specific parameters until the proper fix is rolled out. Unfortunately I can see many people not fixing the issue and relying on the WAF rule entirely to 'address the issue' and I completely disagree with this approach. It is also important to understand that WAFs will not be able to block many attack types and it is important to understand this.

If you want to roll out a WAF at your company you're going to have to set appropriate expectations as to what WAFs are and aren't, as well as when you should use them. Don't just buy them because PCI says if you buy one you'll be compliant and ignore the real problem.

To be clear I'm saying that

- WAFs are a temporary band-aid to a known issue and not a long term solution.
- Depending on the vuln/site it may take hours to track down the issue and provide a solid fix. For larger sites it isn't always as simple as editing a single ASP/JSP/PHP file.
- Until it is fixed you have two options, shutting down that part of the site, or applying a temporary filter against the known bad parameter. I'm not going to tell you which approach to take as this depends on your specific case.
- If you wish to use a WAF filter chances are you're not always going to be able to use a generic signature. You need the expertise available to rewrite rules and beat on proposed filters to ensure evasion use cases don't creep up.
- WAF's will not block all attack types (See the WASC Threat Classification v1 for a decent sized list. Note: This list will double in size once Version 2 is released)

Anyhow check out Andre's post below.

"I wanted to do a post about “what web application security really is” because plenty of people out there don’t get it. They understand that “security attacks are moving from hosts to the Web”, but they have no idea what that means. To most people, web application security is the same thing as website security. I see people trying to approach web application security in the same way that they have tried host security in the past: penetrate (web application security scanner) and patch (web application firewall) — which won’t work."

Rant Link: http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!