[OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Jeff Williams jeff.williams at owasp.org
Mon Dec 7 21:45:19 EST 2009

I suppose you could put global protections in a centralized WAF (with a
decent set of IDS-type signatures) and then application specific policies in
an ESAPI WAF (easier to customize to your application). But I'm not really
sold on the idea of two WAFs. I'm really only recently getting comfortable
with the idea of using a WAF at all, and that's because I think the business
case for virtual patching is pretty compelling.

There's a tendency that I've seen for organizations with a WAF in place to
get a false sense of security. They stop pushing developers to produce
secure code and increasingly rely on the WAF to protect them.  While WAF's
can (in theory) protect against many web attacks, it generally requires
detailed knowledge of exactly where the problems are.  Deploying a WAF
without knowing exactly where the holes are results in pretty poor
protection - thus the false sense of security.


-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Monday, December 07, 2009 7:46 PM
To: owasp-esapi
Subject: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I just went through a demo of Breach Security's WebDefend appliance-based
today. That got me to thinking about what will our recommendation be wrt
ESAPI WAF in an application that is already protected by such a more
WAF? Enable it for a belt-AND-suspenders approach, use it only when the more
traditional WAF identifies a vulnerability that needs patched, always leave
disabled and trust the traditional WAF to do its job, or something else

I'm interested in hearing if there's any consensus on this list. If there
I think it should be part of the ESAPI documentation for recommended
strategy as this scenario will inevitably occur for some.

Would like to hear your thoughts.
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org

More information about the OWASP-ESAPI mailing list