[OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Boberski, Michael [USA] boberski_michael at bah.com
Tue Dec 8 09:55:21 EST 2009


Thanks. FYI, I added a wiki page to the ESAPI for Java's Google Code wiki so we don't loose this info, until we can add it/expand upon it into a proper document, here: http://code.google.com/p/owasp-esapi-java/wiki/WAF

Mike B.

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Tuesday, December 08, 2009 9:16 AM
To: 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

The term "virtual patching" has been around for a while, but when Ivan Ristic (author of ModSecurity) included it in a list of use cases for WAFs over a year ago it got me thinking about it.  Essentially, it just means writing a specific WAF rule that targets a known vulnerability. This allows you to quickly block an attack in progress or a critical flaw you've discovered until you have time to fix the code correctly.  To me, this is a capability that every web application should have.

A full writeup of doing virtual patching on WebGoat can be found here.
http://www.blackhat.com/presentations/bh-dc-09/Barnett/BlackHat-DC-09-Barnet
t-WAF-Patching-Challenge-Whitepaper.pdf

The ESAPI WAF is particularly well designed for this use case, as it is integrated into the application, as opposed to deployed as a standalone box.
That means that you don't have to reparse the HTTP request, you have access to authentication and session information, and you can take actions within the application.  Arshan's presentation at OWASP DC was excellent.
http://www.owasp.org/images/f/fb/The_ESAPI_Web_Application_Firewall-Arshan_D
abirsiaghi.pdf. 

--Jeff


-----Original Message-----
From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com]
Sent: Tuesday, December 08, 2009 8:15 AM
To: Jeff Williams; 'Kevin W. Wall'; 'owasp-esapi'
Subject: RE: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

Jeff, can you expand a little bit on the concept of operations for virtual patching, when it comes to the ESAPI for Java WAF?
 
Mike B.

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, December 07, 2009 9:45 PM
To: 'Kevin W. Wall'; 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I suppose you could put global protections in a centralized WAF (with a decent set of IDS-type signatures) and then application specific policies in an ESAPI WAF (easier to customize to your application). But I'm not really sold on the idea of two WAFs. I'm really only recently getting comfortable with the idea of using a WAF at all, and that's because I think the business case for virtual patching is pretty compelling.

There's a tendency that I've seen for organizations with a WAF in place to get a false sense of security. They stop pushing developers to produce secure code and increasingly rely on the WAF to protect them.  While WAF's can (in theory) protect against many web attacks, it generally requires detailed knowledge of exactly where the problems are.  Deploying a WAF without knowing exactly where the holes are results in pretty poor protection - thus the false sense of security.

--Jeff


-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Monday, December 07, 2009 7:46 PM
To: owasp-esapi
Subject: [OWASP-ESAPI] Recommendation for when to use ESAPI WAF

I just went through a demo of Breach Security's WebDefend appliance-based WAF today. That got me to thinking about what will our recommendation be wrt using ESAPI WAF in an application that is already protected by such a more traditional WAF? Enable it for a belt-AND-suspenders approach, use it only when the more traditional WAF identifies a vulnerability that needs patched, always leave it disabled and trust the traditional WAF to do its job, or something else entirely?

I'm interested in hearing if there's any consensus on this list. If there is, I think it should be part of the ESAPI documentation for recommended deployment strategy as this scenario will inevitably occur for some.

Would like to hear your thoughts.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi


More information about the OWASP-ESAPI mailing list