[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360

Neil Matatall neil at owasp.org
Thu Nov 19 21:32:45 EST 2009


SWAF = software WAF

I attended the OWASP LA meeting last night and Brian Chess of Fortify was
speaking on, among other things, their Fortify 360 product
http://www.fortify.com/products/fortify-360/  The Fortify product uses the
extensibility hooks usually reserved for debuggers and profiles to inject
security-related code such as validation, authorization checks, direct
object references, etc by hooking into things such as servlet filters, sql
queries, etc.

I was thinking, this sounds awfully familiar.  It seems like a version of
the ESAPI-WAF on steroids.     The rules looked very similar to what was
done in the ESAPI WAF.

Anyhow, not sure why I bring this up other than the appearances of two SWAFs
in a relatively short time period and I love the SWAF acronym.

And I credit Jim on the SWAF term, I just can't stop laughing.  Something
about that acronym makes me smile.

p.s.  Brian Chess is a really great speaker, and I recommend anyone attend
his presentations if you get the chance.

--

Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091119/8e1281ac/attachment.html 


More information about the OWASP-ESAPI mailing list