[OWASP-ESAPI] SWAFs: ESAPI-WAF vs. Fortify F360

Dan Cornell dan at denimgroup.com
Thu Nov 19 22:27:22 EST 2009 

We have some of that laying around but it is far from complete. Same  
situation: it has been on the TODO list forever but keeps getting  
bumped.  Let me see if we can have one of our guys pull that stuff  
together before the end of the year.

Thanks

Dan


Sent from my iPhone

On Nov 19, 2009, at 9:19 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> Neil Matatall wrote:
>> SWAF = software WAF
>>
>> I attended the OWASP LA meeting last night and Brian Chess of  
>> Fortify was
>> speaking on, among other things, their Fortify 360 product
>> http://www.fortify.com/products/fortify-360/  The Fortify product  
>> uses the
>> extensibility hooks usually reserved for debuggers and profiles to  
>> inject
>> security-related code such as validation, authorization checks,  
>> direct
>> object references, etc by hooking into things such as servlet  
>> filters, sql
>> queries, etc.
>>
>> I was thinking, this sounds awfully familiar.  It seems like a  
>> version of
>> the ESAPI-WAF on steroids.     The rules looked very similar to  
>> what was
>> done in the ESAPI WAF.
>>
>> Anyhow, not sure why I bring this up other than the appearances of  
>> two SWAFs
>> in a relatively short time period and I love the SWAF acronym.
>
> I think their intent is very similar. The major difference, I think,  
> is
> how the operate. I believe that the Forfify 360 product that you are
> referring to is their Fortify 360 Real Time Analyzer (RTA). It is my
> understanding that RTA works by instrumenting the Java byte-code  
> that the
> JVM executes. The OWASP ESAPI WAF looks like it's intended to be used
> as a J2EE servlet filter or perhaps at more of a source code level
> by extending HttpServlet--in either case, somewhere where it is able
> to intercept HTTP requests.
>
> And speaking of Fortify 360, what would be nice would be if the  
> Fortify
> folks or one of their business partners such as the Denim Group would
> build us some Fortify 360 Source Code Analyzer rules that recognize  
> the
> various ESAPI encoders and validators as proper remediation for the
> attacks they are designed to prevent. It's on one of my list of things
> to do for 2010, but it keeps slipping in priority as more things keep
> getting added to my plate.
>
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts  
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> MIME
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>

More information about the OWASP-ESAPI mailing list