[Owasp-london] Re: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)

Dinis Cruz dinis at ddplus.net
Mon May 1 19:15:18 EDT 2006 

Bill McGee (bam) wrote:
>
> The trick, of course, is that standards in this area are just starting 
> to emerge.
>
Agree, and unfortunately we are still quite far from having decent 
standards
>
> So who do you get to do the verification? There is no EAL equivalent 
> for this space, #)3 people will always be able to find someone like 
> Tolley Group to provide whatever verification you want if the fee is 
> right.
>
Very true, which is why I am defending  the public disclosure of those 
security audits and verifications.

In the current environment, the public release of these reports will 
probably be the only way that you will have 'proper' security 
evaluations done (since it will expose the reputation of the 
companies/consultants doing it).

Another event which will dramatically change the current (in)security 
landscape of the products we use, will be when companies have to 
publicly disclose what unpatched vulnerabilities exist in their product 
(think eEye's upcoming vulnerability disclosure page: 
http://www.eeye.com/html/research/upcoming/index.html).

The key here, is to give paying customers information about the quality 
and security of the products that they are buying, so that they can make 
informed decisions.
>
>
> We *really* need a standards body to step up and establish/conduct a 
> soup-to-nuts verification plan. An interoperability test would also be 
> nice...
>
The problem is that at the moment there doesn't seem to be enough 
backing (both financial and in energy) to create such standards

For example at owasp there is a new project called Web Application 
Security Standard (WASS see http://www.owasp.org/standards/wass.html) 
which "...aims at creating a proposed set of minimum requirements a web 
application must exhibit...". But as always, the progress is severely 
limited by lack of resources.

Back to WAF effectiveness, in the short term, I think that tools like 
SiteGenerator (and HacmeBank) will allow for the pragmatic and focused 
analysis of the performance of WAF (Web Application Firewalls) and WAS 
(Web Application Scanners)

Dinis Cruz
Owasp .Net Project
www.owasp.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-london/attachments/20060502/df3f5470/attachment.html

More information about the Owasp-london mailing list