Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Mone

from [Ofer Shezaf] Network Security [Permanent Link]
Subject: RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
Date: Sun, 13 Jan 2008 07:35:55 -0500 
Locking doors is also a waste of money, after all any lock can be broken.
And still we all lock doors. No WAF will solve all of your web security
problems but it would certainly reduce them AND make your site more
protected than the next door, which might be just what you need to keep
clear.

A good example would be the latest SQL injection bot (WHID 2007-82,
http://www.webappsec.org/projects/whid/byid_id_2007-82.shtml). So many web
sites were broken into, and by just having a default install of ModSecurity
(and I am sure any other WAF), they could prevent the hack.

~ Ofer

---

From: Andre Gironda [mailto:andreg@gmail.com] 
Sent: Saturday, January 12, 2008 5:32 PM
To: B Snake
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?

Deploying WAFs at all - Waste of Money?

Answer: Not if you just made a check-mark on a PCI-DSS audit

On 1/12/08, B Snake <bsnak3@gmail.com> wrote:

It seems like 90+% of companies that implement WAFs deploy them in
listening-only mode and don't do any blocking for fear of false positives
cutting off legitimate user activity.

I'm new to WAFs and this may be a stupid question, but what security value
does a WAF add if it's not doing any blocking of malicious activity?

-BSnake



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?, Ivan Ristic
Next by Date:  Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?, Ryan Barnett
Previous by Thread:  RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?, Ofer Shezaf
Next by Thread:  Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?, Ryan Barnett
Indexes:  [Date] [Thread] [Top] [All Lists]