[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360

Mike Boberski mike.boberski at gmail.com
Thu Nov 19 21:44:01 EST 2009


Another point of comparison for your consideration: I don't see a source
code download or BSD license on that Fortify link.

Mike


On Thu, Nov 19, 2009 at 9:32 PM, Neil Matatall <neil at owasp.org> wrote:

> SWAF = software WAF
>
> I attended the OWASP LA meeting last night and Brian Chess of Fortify was
> speaking on, among other things, their Fortify 360 product
> http://www.fortify.com/products/fortify-360/  The Fortify product uses the
> extensibility hooks usually reserved for debuggers and profiles to inject
> security-related code such as validation, authorization checks, direct
> object references, etc by hooking into things such as servlet filters, sql
> queries, etc.
>
> I was thinking, this sounds awfully familiar.  It seems like a version of
> the ESAPI-WAF on steroids.     The rules looked very similar to what was
> done in the ESAPI WAF.
>
> Anyhow, not sure why I bring this up other than the appearances of two
> SWAFs in a relatively short time period and I love the SWAF acronym.
>
> And I credit Jim on the SWAF term, I just can't stop laughing.  Something
> about that acronym makes me smile.
>
> p.s.  Brian Chess is a really great speaker, and I recommend anyone attend
> his presentations if you get the chance.
>
> --
>
> Neil
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091119/d4377f9f/attachment.html 


More information about the OWASP-ESAPI mailing list