Web Application Firewalls Complement - Don't Replace - Secure Coding
One of Jeremiah Grossman's posts on web application firewalls (WAFs) has prompted something of a theological debate about who won the network security wars. Grossman argues WAFs are needed (1) because software has bugs and (2) there is no way we're going to go back and patch all the vulnerable legacy code out there. He sums up his point:
Still I think the web application security problem has simply gotten WAY too big to be fixable in the code without the help of WAF’s.
In addition to WAFs, we also need a security mindset built into software development life cycles and we still need vulnerability assessments. So far so good, then things get strange.
A comment by ntp includes many good points but also includes this one:
An alternative to scanning for vulnerabilities would be to sign the code and verify signatures to revision levels (a simpler, less intrusive solution).
Signing can help verify what code is running but it's no substitute for checking for vulnerabilities. Signed code can be vulnerable, so why not test it?
This is an example of a kind of theological faith in a few technologies while dismissing the utility of others that is dangerous in software development and network management. ntp concludes with:
Scanner-based assessments, compliance testing, source-code audits, "secure" frameworks, and WAF's make my list of `very distant last-places'. Should you still use these if they are so far off the target goal of security? Sure, if you have the time. But don't lose the big picture.
I disagree. Depending on where you are starting, frameworks could be the first, not the last place to start. Frameworks, if nothing else, point out the bare minimum of what you should be doing even if they are light on implementation details. The same goes for WAFs, in some cases they are going to be the quickest (partial) solution to mitigating vulnerabilities.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
