Did we learn anything about web application firewall technology this week?
I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don’t know why. Organizations everywhere think this is the best or only short-term answer to the web application security […]

[ Andre and Marcin ]: For today’s post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security problems. We met Rohit and Nish at Shmoocon 2008 as […]

This post comes via WAF thoughts from Christian Matthies’s blog circa one year ago.  Christian starts out with a bang:
[…] it seemed to me that quite a lot of people aren’t aware of how effective such solutions in fact are.  Basically I agree that different layers of protection [are] always a good idea to get […]

Web application experts have been asking WAF vendors the same questions for years with no resolution. It’s not about religion for many security professionals — it’s about having a product that works as advertised.
My frustration is not unique. I am not the first person to clamor on about web application firewalls. Jeff […]

Hello, and welcome to the Week of War on WAF’s, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application firewalls. We were able to identify what […]