Mark,
Thanks for sharing your thoughts.
I think what you're saying boils down to "just get the code right".
Well, sure, if everyone did just get the code right then we wouldn't
have these problems. But the point of defence in depth is to design a
system that is secure, even if a few coding errors have been made. With
this in mind, app firewalls are a useful part of the arsenal. On a
practical level, doing this gives more security than expending
equivalent effort just on auditing the code.
They have no hope whatsoever to protect a web application where say
switching a name value pair gives you another persons account.
The current ones perhaps, but that's not an inherent limitation. Just
like TCP/IP firewalls have become stateful, so will application
firewalls. Say the field is "basketid", the app firewall starts by
blocking ALL values of that. When a user requests a page with a link to
a valid basketid for that user, the app firewall statefully adds that id
to the whitelist for just that user. This way, if the parameter is
vulnerable to tampering (e.g. it's sequential) the app firewall provides
further protection.
Ideally, the back-end application protects this by using 128-bit random
numbers as IDs. The front-end app firewall provides further protection.
Now, if EITHER of these protections fail, the resulting system is still
secure.
Regards,
Paul
--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
