How do you address the fact that the application scanners still miss
a majority of bugs? I was at a client site yesterday when he told me
about pointing WebInspect at HacmeBank from Foundstone (disclaimer: I
work for Foundstone). WI didn't even find the most simple case of
SQL injection on the homepage. How well do you think it does on a
moderately secure application, instead of one designed with numerous
easy to exploit flaws?
-dhs
Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"What difference does it make to the dead, the orphans, and the
homeless, whether the mad destruction is wrought under the name of
totalitarianism or the holy name of liberty and democracy? "
--Gandhi
Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd/
On May 3, 2006, at 9:17 PM, Patrick Wolf wrote:
Regarding independent security verifications of the products
themselves, several WAF vendors created an ICSA Premier Services
certification for WAF to specifically answer this question. Part of
this certification was a full audit of the management console as well.
Here is the lab report for F5's TrafficShield:
https://www.icsalabs.com/icsa/docs/html/communities/services/
Lab_Reports/F5_Certification_Final_Report.PDF
F5 also contracted Aspect Security last year to test the security
provided by TrafficShield vis-à-vis the OWASP Top Ten. That report
can be found here:
http://www.f5.com/reports/Aspect_F5_TrafficShield_Summary_Report.pdf
I should also point out that it is our standard QA practice to test
our UI with an application scanner.
Patrick Wolf | Product Manager
F5 Networks www.f5.com
P 408-273-4859 D 206.272.5556
D 408-273-4859 M 408-390-9400
________________________________________
From: Bill McGee (bam) [mailto:bam@cisco.com]
Sent: Monday, May 01, 2006 7:56 AM
To: MindsX; Dinis Cruz
Cc: owasp-dotnet@lists.sourceforge.net; owasp-
london@lists.sourceforge.net; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-
London Chapter meeting on WAF (Web Application Firewalls)
The trick, of course, is that standards in this area are just
starting to emerge. So who do you get to do the verification? There
is no EAL equivalent for this space, #)3 people will always be able
to find someone like Tolley Group to provide whatever verification
you want if the fee is right.
We *really* need a standards body to step up and establish/conduct
a soup-to-nuts verification plan. An interoperability test would
also be nice...
That's MY .02...
-bill
-----Original Message-----
From: MindsX [mailto:mindsx@gmail.com]
Sent: Mon May 01 06:18:29 2006
To: Dinis Cruz
Cc: owasp-dotnet@lists.sourceforge.net; owasp-
london@lists.sourceforge.net; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-
London Chapter meeting on WAF (Web Application Firewalls)
My $0.02... [I seem to be giving alot away recently]....
5 c) Where are the published independent security reviews of these
products? I find amazing that vendors that are selling a 'security
product', e.g. a software application (WAF) that protects other
software
applications (Websites), do not understand the value of hiring
independent 3rd party security companies to perform source code
security
audits to their products (note that the final results of these audits
must be published and made available to clients). As discussed during
the panel,
it is probably impossible to create bug/vulnerability free
applications, <
but to NOT perform independent security audits to their
code is crazy. Since these vendors are still in the 'Functionality
Arms
Race' phase of their products. Basically, the development teams are
more
focused on features, performance and user experience than on Security
(and I don't have to tell you how 'secure' apps developed like this
tend
to be :). Maybe the solution is to put a WAF protecting a WAF
protecting
a WAF protecting a website :). Note to vendors: If am am wrong in this
comment, feel free to prove me wrong and publish the security audits
performed on your current product(s).
I'm sure that some of the more experienced coders on the planet will
disagree with the above...
No mention of the fact that one vendor outright _refused_ to admit
that web
applications can be made secure - by that I do not mean the
underlying code
processors, but more the functionality / logic enforcement and input
validation....
Nor the fact that they was a hard squeeze on the fact that the same
vendors'
appliance has known bugs....
Hmm... Secure your network by adding more bugs..... or are customers
supposed to purchase an extra WAF from a different vendor to
protect the
original WAF's interface ? anyways...
Moreover - how many of the above build upon open-source with out
fulfilling
the requirements of the relative license? [apparently F5 are in the
clear... or so they say...]
Think the EFF should engage....
MindsX
----------------------------------------------------------------------
---
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks.
This
whitepaper identifies the most common methods of attacks that we
have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?
id=701300000007t9r
----------------------------------------------------------------------
----
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
