[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360
mike.boberski at gmail.com
Thu Nov 19 21:44:01 EST 2009
Another point of comparison for your consideration: I don't see a source
code download or BSD license on that Fortify link.
On Thu, Nov 19, 2009 at 9:32 PM, Neil Matatall <neil at owasp.org> wrote:
> SWAF = software WAF
> I attended the OWASP LA meeting last night and Brian Chess of Fortify was
> speaking on, among other things, their Fortify 360 product
> http://www.fortify.com/products/fortify-360/ The Fortify product uses the
> extensibility hooks usually reserved for debuggers and profiles to inject
> security-related code such as validation, authorization checks, direct
> object references, etc by hooking into things such as servlet filters, sql
> queries, etc.
> I was thinking, this sounds awfully familiar. It seems like a version of
> the ESAPI-WAF on steroids. The rules looked very similar to what was
> done in the ESAPI WAF.
> Anyhow, not sure why I bring this up other than the appearances of two
> SWAFs in a relatively short time period and I love the SWAF acronym.
> And I credit Jim on the SWAF term, I just can't stop laughing. Something
> about that acronym makes me smile.
> p.s. Brian Chess is a really great speaker, and I recommend anyone attend
> his presentations if you get the chance.
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI