[OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Jeff Williams jeff.williams at owasp.org
Tue Dec 8 09:15:56 EST 2009


The term "virtual patching" has been around for a while, but when Ivan
Ristic (author of ModSecurity) included it in a list of use cases for WAFs
over a year ago it got me thinking about it.  Essentially, it just means
writing a specific WAF rule that targets a known vulnerability. This allows
you to quickly block an attack in progress or a critical flaw you've
discovered until you have time to fix the code correctly.  To me, this is a
capability that every web application should have.

A full writeup of doing virtual patching on WebGoat can be found here.
http://www.blackhat.com/presentations/bh-dc-09/Barnett/BlackHat-DC-09-Barnet
t-WAF-Patching-Challenge-Whitepaper.pdf

The ESAPI WAF is particularly well designed for this use case, as it is
integrated into the application, as opposed to deployed as a standalone box.
That means that you don't have to reparse the HTTP request, you have access
to authentication and session information, and you can take actions within
the application.  Arshan's presentation at OWASP DC was excellent.
http://www.owasp.org/images/f/fb/The_ESAPI_Web_Application_Firewall-Arshan_D
abirsiaghi.pdf. 

--Jeff


-----Original Message-----
From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
Sent: Tuesday, December 08, 2009 8:15 AM
To: Jeff Williams; 'Kevin W. Wall'; 'owasp-esapi'
Subject: RE: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Jeff, can you expand a little bit on the concept of operations for virtual
patching, when it comes to the ESAPI for Java WAF?
 
Mike B.

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, December 07, 2009 9:45 PM
To: 'Kevin W. Wall'; 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I suppose you could put global protections in a centralized WAF (with a
decent set of IDS-type signatures) and then application specific policies in
an ESAPI WAF (easier to customize to your application). But I'm not really
sold on the idea of two WAFs. I'm really only recently getting comfortable
with the idea of using a WAF at all, and that's because I think the business
case for virtual patching is pretty compelling.

There's a tendency that I've seen for organizations with a WAF in place to
get a false sense of security. They stop pushing developers to produce
secure code and increasingly rely on the WAF to protect them.  While WAF's
can (in theory) protect against many web attacks, it generally requires
detailed knowledge of exactly where the problems are.  Deploying a WAF
without knowing exactly where the holes are results in pretty poor
protection - thus the false sense of security.

--Jeff


-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Monday, December 07, 2009 7:46 PM
To: owasp-esapi
Subject: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I just went through a demo of Breach Security's WebDefend appliance-based
WAF today. That got me to thinking about what will our recommendation be wrt
using ESAPI WAF in an application that is already protected by such a more
traditional WAF? Enable it for a belt-AND-suspenders approach, use it only
when the more traditional WAF identifies a vulnerability that needs patched,
always leave it disabled and trust the traditional WAF to do its job, or
something else entirely?

I'm interested in hearing if there's any consensus on this list. If there
is, I think it should be part of the ESAPI documentation for recommended
deployment strategy as this scenario will inevitably occur for some.

Would like to hear your thoughts.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree, is
by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi



More information about the OWASP-ESAPI mailing list