Bogdan Tomchuk wrote:
Protection against this kind of injection is just other way of patching the
code, so useless, because this assume knowing difference between "good" and
"bad" URL, so for OWA, for example, you define list of templates for all
known "good" URL and anything else will be consider as SQL injection. I do
not understand why to spend money on expensive firewall staff if you can
patch or upgrade software.
Sure, if the patch is available. (A webapp firewall is a protection
against way to exploit a web app vulnerability, not against some
identified vulnerable application only). So patching is not the only
solution. if it was, explain me why so many system are vulnerable to
worm that exploit old vuln, and today, some worm are still doing so much
disaster.
Now tell me how you protect a web app developped by an internal team, a
custom web app. Which patch are you waiting and from who ??? i am not
sure each company do automatic and permanent web vulnerability assessment.
Keep your software current is always better then "imaginable" security given
by software level firewall especially against SQL injection.
In a perfect world, maybe... You should say this to big companies with
security team, they are all dumb and do not understand security. they
should not use firewall but only windows update program or apt-get dist
upgrade ;)
Do you know the life of a vulnerability ? many times, the vuln stay
private, then public and then vendors do patch. How long between the
private and the patch ?? sometimes few days, sometimes years... So you
stay vuln during all this time because you are "up to date !!!"
Many big companies separate the team doing security, the one doing web
dev, the one maintaining the network etc... All these team are not
synchronized on what happen in each other.
When the security team is not in contact with the app guy and they are
in charge of security. What are they doing ? they install some web app
firewall to prevent attack.
