[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360
dan at denimgroup.com
Thu Nov 19 21:54:33 EST 2009
We've got some code that should be coming out next week under an LGPL license that will take results from various dynamic analysis tools and generate ESAPI WAF rules for certain classes of vulnerabilities. First release will be a "technology preview" which means thrown together quickly :) But it works and as it gets more mature it should make it dead simple to create "virtual patches" for SWAFs (or HWAFs)
Also - supporting other WAFs/IPS systems is pretty straightforward once you have the vulnerabilities imported in a structured format.
I'll post to the list once we get our ducks in a row and have the actual code and demos posted.
From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Mike Boberski
Sent: Thursday, November 19, 2009 8:44 PM
To: Neil Matatall
Cc: owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360
Another point of comparison for your consideration: I don't see a source code download or BSD license on that Fortify link.
On Thu, Nov 19, 2009 at 9:32 PM, Neil Matatall <neil at owasp.org<mailto:neil at owasp.org>> wrote:
SWAF = software WAF
I attended the OWASP LA meeting last night and Brian Chess of Fortify was speaking on, among other things, their Fortify 360 product http://www.fortify.com/products/fortify-360/ The Fortify product uses the extensibility hooks usually reserved for debuggers and profiles to inject security-related code such as validation, authorization checks, direct object references, etc by hooking into things such as servlet filters, sql queries, etc.
I was thinking, this sounds awfully familiar. It seems like a version of the ESAPI-WAF on steroids. The rules looked very similar to what was done in the ESAPI WAF.
Anyhow, not sure why I bring this up other than the appearances of two SWAFs in a relatively short time period and I love the SWAF acronym.
And I credit Jim on the SWAF term, I just can't stop laughing. Something about that acronym makes me smile.
p.s. Brian Chess is a really great speaker, and I recommend anyone attend his presentations if you get the chance.
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org<mailto:OWASP-ESAPI at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI