[OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Kevin W. Wall kevin.w.wall at gmail.com
Mon Dec 7 19:45:43 EST 2009

I just went through a demo of Breach Security's WebDefend appliance-based WAF
today. That got me to thinking about what will our recommendation be wrt using
ESAPI WAF in an application that is already protected by such a more traditional
WAF? Enable it for a belt-AND-suspenders approach, use it only when the more
traditional WAF identifies a vulnerability that needs patched, always leave it
disabled and trust the traditional WAF to do its job, or something else

I'm interested in hearing if there's any consensus on this list. If there is,
I think it should be part of the ESAPI documentation for recommended deployment
strategy as this scenario will inevitably occur for some.

Would like to hear your thoughts.
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the OWASP-ESAPI mailing list