[Owasp-london] Re: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)
dinis at ddplus.net
Mon May 1 19:15:18 EDT 2006
Bill McGee (bam) wrote:
> The trick, of course, is that standards in this area are just starting
> to emerge.
Agree, and unfortunately we are still quite far from having decent
> So who do you get to do the verification? There is no EAL equivalent
> for this space, #)3 people will always be able to find someone like
> Tolley Group to provide whatever verification you want if the fee is
Very true, which is why I am defending the public disclosure of those
security audits and verifications.
In the current environment, the public release of these reports will
probably be the only way that you will have 'proper' security
evaluations done (since it will expose the reputation of the
companies/consultants doing it).
Another event which will dramatically change the current (in)security
landscape of the products we use, will be when companies have to
publicly disclose what unpatched vulnerabilities exist in their product
(think eEye's upcoming vulnerability disclosure page:
The key here, is to give paying customers information about the quality
and security of the products that they are buying, so that they can make
> We *really* need a standards body to step up and establish/conduct a
> soup-to-nuts verification plan. An interoperability test would also be
The problem is that at the moment there doesn't seem to be enough
backing (both financial and in energy) to create such standards
For example at owasp there is a new project called Web Application
Security Standard (WASS see http://www.owasp.org/standards/wass.html)
which "...aims at creating a proposed set of minimum requirements a web
application must exhibit...". But as always, the progress is severely
limited by lack of resources.
Back to WAF effectiveness, in the short term, I think that tools like
SiteGenerator (and HacmeBank) will allow for the pragmatic and focused
analysis of the performance of WAF (Web Application Firewalls) and WAS
(Web Application Scanners)
Owasp .Net Project
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-london