[Owasp-topten] Some sort of First Aid Kit in light of the proposed A7

Dave Wichers dave.wichers at owasp.org
Tue May 30 19:10:04 UTC 2017


Cool article Christian. Thanks for writing it and posting to the list. I
think instructions to help people disable ModSecurity for certain users is
helpful to have out there.

I have a question though. Isn't another option to simply stand up a test
instance and not have the WAF there at all? Or do both? i.e., Have a test
instance, and only disable the WAF for certain IPs on the test instance.
That way the production system isn't affected or put at risk at all.

I could even imagine a customer asking you to test both with and without
the WAF in order to test the evadability of the WAF. But that would take
more time/be more expensive, so not sure most customers would think that's
worth it.

In my experience, we usually get hired to test against a test instance
anyway. It's rare that we are asked to test against production. But maybe
that's not as common as I think it is. In your experience, how often are
you hired to test against prod vs. a test instance?

Any others want to comment on that as well?

Thanks, Dave


On Tue, May 30, 2017 at 3:31 AM, Christian Folini <
christian.folini at netnea.com> wrote:

> Hi there,
>
> There have been reasonable arguments that A7 would make the life of
> white hats much harder and thus result in an overall reduction of
> the security level.
>
> I wrote a blog post pointing out ways how to cope with sufficient
> attack protection during assessments. Call it an A7 survival guide
> or whatever.
>
> https://www.netnea.com/cms/2017/05/30/an-a7-first-aid-kit/
>
> Feedback welcome here or via PM.
>
> Cheers,
>
> Christian
>
> --
> https://www.feistyduck.com/books/modsecurity-handbook/ (due in June!)
> mailto:christian.folini at netnea.com
> twitter: @ChrFolini
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170530/d4af9de5/attachment.html>


More information about the Owasp-topten mailing list