[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360
neil at owasp.org
Thu Nov 19 21:32:45 EST 2009
SWAF = software WAF
I attended the OWASP LA meeting last night and Brian Chess of Fortify was
speaking on, among other things, their Fortify 360 product
http://www.fortify.com/products/fortify-360/ The Fortify product uses the
extensibility hooks usually reserved for debuggers and profiles to inject
security-related code such as validation, authorization checks, direct
object references, etc by hooking into things such as servlet filters, sql
I was thinking, this sounds awfully familiar. It seems like a version of
the ESAPI-WAF on steroids. The rules looked very similar to what was
done in the ESAPI WAF.
Anyhow, not sure why I bring this up other than the appearances of two SWAFs
in a relatively short time period and I love the SWAF acronym.
And I credit Jim on the SWAF term, I just can't stop laughing. Something
about that acronym makes me smile.
p.s. Brian Chess is a really great speaker, and I recommend anyone attend
his presentations if you get the chance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI