Monday, June 30, 2008

Top 5 Reasons WAF Will Not Die

I'd like to say that we've beaten the WAF (or as I call it a WaIDS) topic to an absolute bloody pulp... but I guess I'm wrong. A shining example is Marcin's TS/SCI security blog, which if you read their "Week of War on WAFs" is very technically accurate and packed with information - but doesn't address the real-world issue that continues to drive WAF adoption in the business world. Let's face it, there are a bunch of WAF companies out there and they're not all going belly-up - in fact, they're making a killing with the PCI DSS deadline today! By the way, this blog entry is a great read, if you are looking for some more analysis on the topic of PCI DSS and the June 30th deadline.

So as I thought about this (again) I decided to come up with the top 5 reasons why Web Application Firewalls are and will continue to be deployed in world of PCI DSS requirements. So, here it is... the list.

Top 5 Reasons why WAFs Won't Go Away
  1. The PCI DSS - [... and to be fair, other regulations] While it may not be accomplishing total security, as many people have already pointed out - WAFs do at least a minimalistic job of upping the security on a lot of credit-card processessing sites.
  2. IT Security Managers - Let's face it folks, if you're in charge of a large IT company's security team you've got a monumental job ahead of you. You can either try and turn the titanic and get developers to write better code (should only take 2-3 year or so) - or you can spend some cash and throw in a WAF optionally in block-mode... the PCI DSS says nothing about being in block mode! *(More on this in a future installment)
  3. Legacy Code - Legacy code sucks because it is hard to secure... primarily because you very rarely have the source. And even if you do have the source code, good luck figuring out what that code that was written 7 years ago and not commented on does.
  4. Clueless Management - If you don't believe WAFs will continue to exist because execs just don't get web application security - you should stop smoking crack, seriously. Executives are looking for quick ways to solve the "Are you PCI Compliant yet?" questions - and a "slap this box in, and you're done" approach that WAF vendors sell is irrisistible.
  5. Developers Still Suck - I'm sorry, but it's true. Whether they're off-shore, on-shore, in China, India, the US or the Moon developers are continuing to write bad code in alarming numbers. Pick up XSS Assistant for GreaseMonkey (FireFox plugin) and you can surf thousands of sites that are susceptible to parameter validation issues (XSS, SQLi, etc); this doesn't even account for the more complex logic issues that require some probing.
There you have it. WAFs will not be gone any time soon. Whether I agree with the assessments that they're best suited for doorstops and boat anchors or not - they're not going away and we need to figure out a way to move that technology forward and make it more intelligent and more "secure"... otherwise it'll be just another security failure that's blamed on the industry as a whole. And the reality is - if that happens, we've all failed.


No comments: