[Owasp-london] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)

[MindsX]

My $0.02... [I seem to be giving alot away recently]....

5    c) Where are the published independent security reviews of these
products? I find amazing that vendors that are selling a 'security
product', e.g. a software application (WAF) that protects other software
applications (Websites), do not understand the value of hiring
independent 3rd party security companies to perform source code security
audits to their products (note that the final results of these audits
must be published and made available to clients). As discussed during
the panel,

>it is probably impossible to create bug/vulnerability free applications, <

but to NOT perform independent security audits to their
code is crazy. Since these vendors are still in the 'Functionality Arms
Race' phase of their products. Basically, the development teams are more
focused on features, performance and user experience than on Security
(and I don't have to tell you how 'secure' apps developed like this tend
to be :). Maybe the solution is to put a WAF protecting a WAF protecting
a WAF protecting a website :). Note to vendors: If am am wrong in this
comment, feel free to prove me wrong and publish the security audits
performed on your current product(s).


I'm sure that some of the more experienced coders on the planet will
disagree with the above...

No mention of the fact that one vendor outright _refused_ to admit that web
applications can be made secure - by that I do not mean the underlying code
processors, but more the functionality / logic enforcement and input
validation....

Nor the fact that they was a hard squeeze on the fact that the same vendors'
appliance has known bugs....

Hmm... Secure your network by adding more bugs..... or are customers
supposed to purchase an extra WAF from a different vendor to protect the
original WAF's interface ? anyways...


Moreover - how many of the above build upon open-source with out fulfilling
the requirements of the relative license? [apparently F5 are in the
clear... or so they say...]

Think the EFF should engage....

MindsX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-london/attachments/20060501/b46a6487/attachment.html