[Owasp-london] Re: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)

Dinis Cruz dinis at ddplus.net
Wed May 3 22:58:13 EDT 2006 

The ICSA reports seem to be quite interesting (thank Patrick for the link)

What about the other WAF vendors and Web Application Scanners?

Have they done similar certification?

If so can we have the links to the reports please? (I had a quick look 
on the ICSALabs.com website and couldn't find the link to other WAF 
tests (even TrafficShield's report doesn't seem to be publicly linked  
http://www.google.com/custom?q=TrafficShield&sa=Google+Search&domains=icsalabs.com&sitesearch=icsalabs.com) 


Dinis Cruz
Owasp .Net Project
www.owasp.net

Patrick Wolf wrote:
> Regarding independent security verifications of the products themselves, several WAF vendors created an ICSA Premier Services certification for WAF to specifically answer this question. Part of this certification was a full audit of the management console as well.
>
> Here is the lab report for F5's TrafficShield:
>
> https://www.icsalabs.com/icsa/docs/html/communities/services/Lab_Reports/F5_Certification_Final_Report.PDF
>
> F5 also contracted Aspect Security last year to test the security provided by TrafficShield vis-à-vis the OWASP Top Ten. That report can be found here:
>
> http://www.f5.com/reports/Aspect_F5_TrafficShield_Summary_Report.pdf
>
> I should also point out that it is our standard QA practice to test our UI with an application scanner.
>
>
> Patrick Wolf  |  Product Manager             
> F5 Networks www.f5.com   
> P 408-273-4859  D 206.272.5556    
> D 408-273-4859  M 408-390-9400   
>             
>
> ________________________________________
> From: Bill McGee (bam) [mailto:bam at cisco.com] 
> Sent: Monday, May 01, 2006 7:56 AM
> To: MindsX; Dinis Cruz
> Cc: owasp-dotnet at lists.sourceforge.net; owasp-london at lists.sourceforge.net; webappsec at securityfocus.com; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)
>
> The trick, of course, is that standards in this area are just starting to emerge. So who do you get to do the verification? There is no EAL equivalent for this space, #)3 people will always be able to find someone like Tolley Group to provide whatever verification you want if the fee is right.
>
> We *really* need a standards body to step up and establish/conduct a soup-to-nuts verification plan. An interoperability test would also be nice...
>
> That's MY .02...
>
> -bill
>
>  -----Original Message-----
> From:   MindsX [mailto:mindsx at gmail.com]
> Sent:   Mon May 01 06:18:29 2006
> To:     Dinis Cruz
> Cc:     owasp-dotnet at lists.sourceforge.net; owasp-london at lists.sourceforge.net; webappsec at securityfocus.com; websecurity at webappsec.org
> Subject:        [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)
>
> My $0.02... [I seem to be giving alot away recently]....
>
> 5    c) Where are the published independent security reviews of these
> products? I find amazing that vendors that are selling a 'security
> product', e.g. a software application (WAF) that protects other software
> applications (Websites), do not understand the value of hiring
> independent 3rd party security companies to perform source code security
> audits to their products (note that the final results of these audits
> must be published and made available to clients). As discussed during
> the panel,
>
>   
>> it is probably impossible to create bug/vulnerability free applications, <
>>     
>
> but to NOT perform independent security audits to their
> code is crazy. Since these vendors are still in the 'Functionality Arms
> Race' phase of their products. Basically, the development teams are more
> focused on features, performance and user experience than on Security
> (and I don't have to tell you how 'secure' apps developed like this tend
> to be :). Maybe the solution is to put a WAF protecting a WAF protecting
> a WAF protecting a website :). Note to vendors: If am am wrong in this
> comment, feel free to prove me wrong and publish the security audits
> performed on your current product(s).
>
>
> I'm sure that some of the more experienced coders on the planet will
> disagree with the above...
>
> No mention of the fact that one vendor outright _refused_ to admit that web
> applications can be made secure - by that I do not mean the underlying code
> processors, but more the functionality / logic enforcement and input
> validation....
>
> Nor the fact that they was a hard squeeze on the fact that the same vendors'
> appliance has known bugs....
>
> Hmm... Secure your network by adding more bugs..... or are customers
> supposed to purchase an extra WAF from a different vendor to protect the
> original WAF's interface ? anyways...
>
>
> Moreover - how many of the above build upon open-source with out fulfilling
> the requirements of the relative license? [apparently F5 are in the
> clear... or so they say...]
>
> Think the EFF should engage....
>
> MindsX
>
> - Sponsored Advertisement --------------------------------------------------
> The Software Security Summit is the only event that addresses security
> issues at the application development level. Join us Jun 5-7, Baltimore, MD.
> http://www.s-3con.com
> ----------------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>

More information about the Owasp-london mailing list