Monday, June 23, 2008

The Product Formerly Known as WAF

I've read too many blogs about how the Web Application Firewall (WAF) is a misnomer, and I've come up with a solution. I would like the entire micro-niche of current WAF vendors to change your name to ...
"Web Application Intrusion Defense System" or WaIDS for short

This makes far more sense than calling a product which is *not* a firewall exactly that - and it solves the issue of that managerial response "but we already have a firewall". Doesn't this make so much more sense? I'm serious. The new name would convey the idea of what a WAF actually *is* and give the technology actual meaning, and better sense of purpose.

In addition to the brilliant new name, here are the Top 5 things that WaIDS should advertise itself to solve:
  1. Short-term detection of known web application security defects
  2. Security support for legacy web-based applications (those not likely to change)
  3. Layered (defense in-depth) security for well-established application security programs
  4. Auditing, auditing, auditing of web-application attacks
  5. [I can't think of a 5th one]
There you have it. I've solved the problem. Next?


dre said...

I prefer to just call them `doorstops'.

It's nice to see that we agree on something.

Rafal Los said...

Actually, Andre, we don't agree.

I wouldn't ever refer to a "WAF" (or WaIDS) as a doorstop. They're a very relevant piece of technology that's crucial in certain places in the web-enabled enterprise. If I've learned anything from my last 13 years in IT, it's that almost every piece of technology has its place... and WaIDS (WAFs) certainly do as well. Think of it this way - what if you're a business that has a legacy web application (don't tell me you don't believe that there are many, many out there...) and you rely on it for your daily business but simply don't have the source code anymore (or never have)?
Once you've spent a few years in business, you'll understand.

dre said...

I take it that in your scenario that the company that's relying on this legacy piece of software isn't a public company, doesn't have the application in question attached to any sort of payment gateway, and also doesn't have any financial data attached to said application?

Otherwise, that company would be under the auspices of Sarbanes-Oxley, GLBA, or PCI-DSS. If they didn't have the source code, then that application would have been re-coded 5 or 6 years ago. Your situation doesn't exist.

You have no real world experience -- and I would prefer that you instead do your homework on someone before you claim that they don't have the necessary experience to make bold claims as you do. When I hear people such as you make these claims -- such verbal, ad-hominem attacks are often a reflection on the person who is stating them as fact. In other words, "I Know You Are But What Am I?", or "Look In The Mirror, Buddy".

If you've been 13 years in IT, then you obviously spent 12.5 years of it in tech support for computerized alarm clocks.

Rafal Los said...

Andre - I find your statement "your situation doesn't exist" to be alarmingly amusing. Yes - those situations do exist. Although it may come as a shock to some individuals in our security profession, some of these are actually considered acceptable risk by large multi-national organizations. Think of it this way... PCI-DSS is the closest to a hard set of rules, which is still not 100% water-tight. The rest (SOX and the like) are fodder for anyone with a decent attorney and solely rely on the auditor. This is the reality of business.
As for your attack on my experience... I'd love to compare resumes and accolades any time you want to take your head out of your ... Cheers mate, and hey - thanks for reading.