|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tracy Reed (treed
ultraviolet.org)
Date: Thu Aug 06 2009 - 16:13:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Aug 06, 2009 at 03:36:40PM -0400, dave spake thusly:
> Lemme tell you, there's nowhere a hacker would rather be than on
> your WAF. If for no other reason than the irony, because hackers
> have good senses of humour.
I have been wondering about this very thing. NIDS don't bother me so
much because it is usually on a mirror port and not really directly in
the flow of things. A little harder to get ahold of and less
useful. But a WAF...that's a different story. And things like PCI-DSS
6.6 require code review (expensive and a pain) OR a WAF (which nearly
everyone chooses). I have never liked to deploy WAFs instead
preferring to attempt to write more secure code although
defense-in-depth etc can't hurt. But I have actually heard webapp
developers use the WAF as a crutch ("Learn parameterized queries? But
we have a WAF!").
--
Tracy Reed
http://tracyreed.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFKe0eE9PIYKZYVAq0RAmFHAJ48HXbkOHug9Ar7Jvvqo/oBHJgwxwCgkXQT
RID7CkmiZzXr9JB4gc4QjQU=
=g/GW
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]