[Owasp-topten] Some sort of First Aid Kit in light of the proposed A7

Christian Folini christian.folini at netnea.com
Wed May 31 14:22:13 UTC 2017


On Tue, May 30, 2017 at 03:10:04PM -0400, Dave Wichers wrote:
> Cool article Christian. Thanks for writing it and posting to the list. I
> think instructions to help people disable ModSecurity for certain users is
> helpful to have out there.

Thanks Dave. Yes, documentation is generally lacking and if you
look through my examples, you realize the rule language can be a pain.
(-> Hence standard rule sets like the Core Rule Set where you do not
need to write rules yourself)

> I have a question though. Isn't another option to simply stand up a test
> instance and not have the WAF there at all? Or do both? i.e., Have a test
> instance, and only disable the WAF for certain IPs on the test instance.
> That way the production system isn't affected or put at risk at all.

Sure. That is an option.

However, running a production with a WAF in front of it and a test
setup without a WAF usually means that little testing of the WAF
is taking place. Little testing of the WAF leads to false positives
in production and false positives in production leads to disabling
the WAF or its rules / filters.

A strongly configured WAF is a rare species. A strong WAF in prod 
usually comes with a strong WAF in test.

> I could even imagine a customer asking you to test both with and without
> the WAF in order to test the evadability of the WAF. But that would take
> more time/be more expensive, so not sure most customers would think that's
> worth it.

I have seen this done this way. Most of the time, the Pen-Tester
wants to have the WAF disabled because he has been instructed the
application server (and not the complete service as visible by an
attacker).

> In my experience, we usually get hired to test against a test instance
> anyway.

That is mostly the case in my experience too.

> It's rare that we are asked to test against production. But maybe
> that's not as common as I think it is. In your experience, how often are
> you hired to test against prod vs. a test instance?

I am a defender, so I do not do pen tests. But I read the reports
and talk to pen testers a lot. So I think you need a way to let the
pen tester do his job without too much hassle. If she/he wants to test
the WAF, then great, because I might learn of a weakness. If she/he
wants to have the WAF out of the day. Then yes.

Ahoj,

Christian


-- 
Wenn er sein Feuer anmachte, füllte er sein Haus mit Rauch, 
aber er machte kein Licht.
--- Abaelard über Anselm von Laon


More information about the Owasp-topten mailing list