Friday, June 27, 2008

Waf me not

| Armando Romeo |
Which side of the field are you in?

There's only one hot topic in the industry right now:
Web application firewalls.

Infosec big names are fighting a war worth millions dollars on the Web Application Firewalls as a viable solution to web application security issues.

Understanding the parties in the field is critical to understand the discussion and not being fooled by subliminal marketing messages.


A CTO of a company X, in order to become PCI compliant, reads the compliance paper. And there is written that you have two options:
Source code review
OR
Web application Firewall

What kind of expectations does he have here from a WAF? He trusts the PCI standard. He thinks that if WAF is an alternative to source code analysis then they provide more or less the same security.

So, WAF vendors, empowered by PCI compliances, can push their products and advertise them as a security plug-n-play solution.

There's nothing worse than a false sense of safety.

Feeling self confident about security because you have a WAF in front of your Web Server is the beginning of all your problems.

I have read some WAF vendor commenting on some blog posts. They are all like "yes, we never said it is a bullet-proof indeed it's just part of a broader solution we offer".

What kind of other broader solution? VA+WAF ?
Is this really the security companies need?
Do you really think that automated tools (the ones we have now) are capable of securing something?

Automated tools that miserably fail to detect even blind sql injections or CSRF vulnerabilities that suggest the rules to a WAF that is miserably unable to protect against simple, very simple coding errors like the proper check of an authentication cookie a logic flaw or an information leakage bug?

And no, taking the web to what it was 3-4 years ago, by encrypting querystring to prevent tampering is not the solution in my opinion.
The trade off between business and security should be avoided as much as possible.

There's also a big difference from security needed and security required.

WAF's responds to a demand for required security.
A provable security.

"Hey I do care about my customers data. I have a WAF!"

A honest security consultancy company carrying out penetration testing and source code review responds to a security need.

"Hey I do care about my customers data. I have plenty of good guys trying to hack and fix me every month"

At SecurityBrigade, we do not push any WAF sale although we recognize it as a valid means to avoid common simple (but still dangerous) vulnerabilities.

We promote real (expert)man-made penetration testing jobs and source code reviews.

WAFs as further layers are proposed to clients in order to allow them to be covered from cases in which code changes from some reason and new vulnerabilites are introduced since our last review.
It must be made clear that the more they get distant from the source code reviewed the less the security level is. No matter how cool the WAF is.

Another aspect to take in consideration is the operational cost of such devices. Are they, all in all, worth the money?
Let's forget about PCI for a moment, are they really responding to the need for real Security? Not at the moment.
They are resonding to a quick-need for security.
That in the long run it becomes "cheap security".
And cheap refers to quality not to expense.

And by the way, I'm from the old-school side. I like innovation.
But we have to spend more on people not on technology.

Because my hotel in Paris, while writing this blog post, has asked me to send my credit card number by email.
Would a WAF solve that?

Free Security Magazines