[OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Boberski, Michael [USA] boberski_michael at bah.com
Tue Dec 8 08:15:08 EST 2009


Jeff, can you expand a little bit on the concept of operations for virtual patching, when it comes to the ESAPI for Java WAF?
 
Mike B.

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, December 07, 2009 9:45 PM
To: 'Kevin W. Wall'; 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I suppose you could put global protections in a centralized WAF (with a decent set of IDS-type signatures) and then application specific policies in an ESAPI WAF (easier to customize to your application). But I'm not really sold on the idea of two WAFs. I'm really only recently getting comfortable with the idea of using a WAF at all, and that's because I think the business case for virtual patching is pretty compelling.

There's a tendency that I've seen for organizations with a WAF in place to get a false sense of security. They stop pushing developers to produce secure code and increasingly rely on the WAF to protect them.  While WAF's can (in theory) protect against many web attacks, it generally requires detailed knowledge of exactly where the problems are.  Deploying a WAF without knowing exactly where the holes are results in pretty poor protection - thus the false sense of security.

--Jeff


-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Monday, December 07, 2009 7:46 PM
To: owasp-esapi
Subject: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I just went through a demo of Breach Security's WebDefend appliance-based WAF today. That got me to thinking about what will our recommendation be wrt using ESAPI WAF in an application that is already protected by such a more traditional WAF? Enable it for a belt-AND-suspenders approach, use it only when the more traditional WAF identifies a vulnerability that needs patched, always leave it disabled and trust the traditional WAF to do its job, or something else entirely?

I'm interested in hearing if there's any consensus on this list. If there is, I think it should be part of the ESAPI documentation for recommended deployment strategy as this scenario will inevitably occur for some.

Would like to hear your thoughts.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi


More information about the OWASP-ESAPI mailing list