May 10, 2012

WAF Wars

Two articles are out today on WAFs:  one from Imperva's Noa Bar Yosef and the other a blog from our partner Acunetix.

Let's start with the Acunetix blog.  The basic argument is this:  WAFs are being used as a band aid that substitutes for a more comprehensive approach that primarily consists of vulnerability scanning (note that Acunetix is a vulnerability scanner).  Two points:

  • A truly comprehensive appsec program, though necessary, is neither easy or nor always an option.  We profiled an attack against a temporary website, for example, that had little time to develop a secure website.  And the WAF proved to be a very effective defense.  Just because someone uses a WAF doesn't mean they're being lazy--there are very tangible pragmatics factors driving the decision.  For this reason, one CISO echoed what I've heard in many places, "A WAF should be the first and last line of defense."
  • Not all WAFs are created equal, and we detailed why here.  The market for WAFs is very broad and large, so making generalizations about WAFs is tricky.

Noa’s column makes a comprehensive case to help WAFs integrate into SDLCs effectively.  

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.