[Owasp-topten] Some sort of First Aid Kit in light of the proposed A7
dave.wichers at owasp.org
Tue May 30 19:10:04 UTC 2017
Cool article Christian. Thanks for writing it and posting to the list. I
think instructions to help people disable ModSecurity for certain users is
helpful to have out there.
I have a question though. Isn't another option to simply stand up a test
instance and not have the WAF there at all? Or do both? i.e., Have a test
instance, and only disable the WAF for certain IPs on the test instance.
That way the production system isn't affected or put at risk at all.
I could even imagine a customer asking you to test both with and without
the WAF in order to test the evadability of the WAF. But that would take
more time/be more expensive, so not sure most customers would think that's
In my experience, we usually get hired to test against a test instance
anyway. It's rare that we are asked to test against production. But maybe
that's not as common as I think it is. In your experience, how often are
you hired to test against prod vs. a test instance?
Any others want to comment on that as well?
On Tue, May 30, 2017 at 3:31 AM, Christian Folini <
christian.folini at netnea.com> wrote:
> Hi there,
> There have been reasonable arguments that A7 would make the life of
> white hats much harder and thus result in an overall reduction of
> the security level.
> I wrote a blog post pointing out ways how to cope with sufficient
> attack protection during assessments. Call it an A7 survival guide
> or whatever.
> Feedback welcome here or via PM.
> https://www.feistyduck.com/books/modsecurity-handbook/ (due in June!)
> mailto:christian.folini at netnea.com
> twitter: @ChrFolini
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten