Did we learn anything about web application firewall technology this week? I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don't know why. Organizations everywhere think [...]
Posted by Dre on Friday, June 27, 2008 in
Defense and
Security.
[Andre and Marcin]: For today's post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security [...]
Posted by Rohit on Thursday, June 26, 2008 in
Defense,
People and
Security.
This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang: [...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that [...]
Posted by Dre on Thursday, June 26, 2008 in
Defense and
Security.
Web application experts have been asking WAF vendors the same questions for years with no resolution. It's not about religion for many security professionals -- it's about having a product that works as advertised. My frustration is not unique. I am not [...]
Posted by Dre on Wednesday, June 25, 2008 in
Defense and
Security.
Hello, and welcome to the Week of War on WAF's, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application [...]
Posted by Dre on Monday, June 23, 2008 in
Defense and
Security.
We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]
Posted by Marcin on Monday, June 23, 2008 in
Defense,
Security and
Work.
We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached [...]
Posted by Dre on Thursday, June 19, 2008 in
Security and
Work.
I see that the BlackHat Blogger's Network has a topic of interest. I'll oblige, especially since The Hoff is involved. I think it's a good exercise, so I'll have to thank Shimel for this idea. You also won't want to miss what I've said about [...]
Posted by Dre on Wednesday, June 18, 2008 in
Defense,
Security and
Tech.
Last week, Richard Bejtlich reviewed "Nmap in the Enterprise," and for the most part, was largely disappointed with it's lack of enterprise context. My last script, tissynbe.py, parsed Nessus results in nbe format and inserted them into a MySQL database. [...]
Posted by Marcin on Sunday, June 15, 2008 in
Code and
Security.
Apparently Laura Chappell and Mark Curphey were presenting at the Microsoft TecEd 2008 Security Track last week. I haven't heard too much about what happened as a result, and I really wish I was there to see them speak about their respective topics. For [...]
Posted by Dre on Sunday, June 15, 2008 in
Conferences,
People,
Security and
Tech.
I wanted to do a post about "what web application security really is" because plenty of people out there don't get it. They understand that "security attacks are moving from hosts to the Web", but they have no idea what that means. To most people, web [...]
Posted by Dre on Sunday, June 15, 2008 in
Defense,
Hacking and
Security.
