So as I thought about this (again) I decided to come up with the top 5 reasons why Web Application Firewalls are and will continue to be deployed in world of PCI DSS requirements. So, here it is... the list.
Top 5 Reasons why WAFs Won't Go Away
- The PCI DSS - [... and to be fair, other regulations] While it may not be accomplishing total security, as many people have already pointed out - WAFs do at least a minimalistic job of upping the security on a lot of credit-card processessing sites.
- IT Security Managers - Let's face it folks, if you're in charge of a large IT company's security team you've got a monumental job ahead of you. You can either try and turn the titanic and get developers to write better code (should only take 2-3 year or so) - or you can spend some cash and throw in a WAF optionally in block-mode... the PCI DSS says nothing about being in block mode! *(More on this in a future installment)
- Legacy Code - Legacy code sucks because it is hard to secure... primarily because you very rarely have the source. And even if you do have the source code, good luck figuring out what that code that was written 7 years ago and not commented on does.
- Clueless Management - If you don't believe WAFs will continue to exist because execs just don't get web application security - you should stop smoking crack, seriously. Executives are looking for quick ways to solve the "Are you PCI Compliant yet?" questions - and a "slap this box in, and you're done" approach that WAF vendors sell is irrisistible.
- Developers Still Suck - I'm sorry, but it's true. Whether they're off-shore, on-shore, in China, India, the US or the Moon developers are continuing to write bad code in alarming numbers. Pick up XSS Assistant for GreaseMonkey (FireFox plugin) and you can surf thousands of sites that are susceptible to parameter validation issues (XSS, SQLi, etc); this doesn't even account for the more complex logic issues that require some probing.