@OWASP AppSec EU2009, Day 1
Another presentation that drew a lot of audience in the first day was called "The Truth about Web Application Firewalls: What the vendors don't want you to know". Frankly, I was expecting much more from a presentation with such a dramatic title. What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly "bypass" WAFs. Although the researchers did not mention SecureSphere in their list of fingerprintable or exploitable WAFs I have some comments on this research:
- The title should have been "The Truth about IDSs". The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs. So all of this is a bit old news.
- Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased. It reminded me of a security solution 10 years back where someone came up with a "genius" idea for protecting web applications - instead of returning the real server and framework version in responses (IIS 5, ASP 1.2, etc.) let's fool hackers and return fake ones.
WAFs are actively protecting web applications and hackers can detect that a WAF is deployed just because they are being blocked and unable to hack the system. - Finally, taking IDS products that claim to be WAFs and showing two specific bypasses to poor signatures is really not what I expected. Actually, talking to other people that attended this presentation I learned that I was not the only one a bit disappointed.
You guys are probably right about whitelisting not being a silver bullet as well as you're right about blacklisting not being one. I don't think it comes as a surprise to anyone. I don't think that code changes are a silver bullet either (hey, if it were not for bad code vulnerabilities would not have existed in the first place).
Information security is all about managing your risk and using the tools that are most cost effective for the problem. Information security is also about layered solutions. For instance, in SecureSphere WAF we chose to use both positive security model and negative security model, and even correlate the outcome of the two.
I'm not saying the WAF is always the answer for everything (I actually don't use a WAF for coffee making). However, I do think that it has proven to be a very cost effective solution to application security problems.
- Amichai
Hi Eldad Chai,
Thank you for your comments about our presentation, we like all the feedbacks and we think it's important.
Just as information, during the talk we provided 2 examples in one product and in the last day we provided more one example in the end of the conference in another product, one of this examples (presented at first day) was realized in a WAF working in positive model, which I believe you may agree - that is much more robust, right? In this case, we bypassed a scene that is the result generated by dynamic profiling mechanisms / learning mode.
A point that I believe to be relevant, is that this flaws was all found using one of the principles we explained in our presentation.
We never worked with Imperva but we know the name of the company, unhappily we do not know anyone running SecureSphere and unhappily Imperva do not provide trial / demos copy. But we would be really happy in be able to test the robustness of SecureSphere WAF. We are working in our talk for next presentations, where we will be showing new vulnerabilities and enhance our tools (wafw00f and waffun) and we would like to add SecureSphere in our list of products to be tested. Can you arrange it for us?
Thank you for the feedback.
best regards,
Wendel
Who ever you are, you saying "It just does not work" is just as bad as me saying "It just works" without explaining how and why. Anyway, my point was that claiming that WAFs are just a bunch of black and white lists is plain wrong and not very educating for professionals coming to these conferences with the intention of expanding their knowledge in security.
You greatly overestimate SecureSphere's ability to perform "dynamic profiling". It just doesn't work.