Week of War on WAF’s: Day 2 — A look at the past
Web application experts have been asking WAF vendors the same questions for years with no resolution. It’s not about religion for many security professionals — it’s about having a product that works as advertised.
My frustration is not unique. I am not the first person to clamor on about web application firewalls. Jeff Williams pointed me to a post that Mark Curphey made in 2004. Today, Curphey appears to have a change of heart — his latest blog post provides a link to URLScan, which some claim is like mod-security for Microsoft’s Internet Information Server (IIS). Microsoft released URLScan Beta 3.0 in order to curtail the massive problem of over two million Classic ASP web applications that have become infected due to the SQL injection attacks.
Here is the post where the frustration of WAF and their vendors first began:
—–Original Message—–
From: The OWASP Project [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 16 November 2004 2:34 PM
To: [EMAIL PROTECTED]
Subject: An Open Letter (and Challenge) to the Application Security
ConsortiumAn Open Letter (and Challenge) to the Application Security Consortium
Since its inception in late 2000 the Open Web Application Security Project (OWASP) has provided free and open tools and documentation to educate people about the increasing threat of insecure web applications and web services. As a not-for-profit charitable foundation, one of our community responsibilities is to ensure that fair and balanced information is available to companies and consumers.
Our work has become recommended reading by the Federal Trade Commission, VISA, the Defense Information Systems Agency and many other commercial and government entities.
The newly unveiled Application Security Consortium recently announced a “Web Application Security Challenge” to other vendors at the Computer Security Institute (CSI) show in Washington, D.C. This group of security product vendors proposes to create a new minimum criteria and then rate their own products against it.
The OWASP community is deeply concerned that this criteria will mislead consumers and result in a false sense of security. In the interest of fairness, we believe the Application Security Consortium should disclose what security issues their products do not address.
As a group with a wide range of international members from leading financial services organizations, pharmaceutical companies, manufacturing companies, services providers, and technology vendors, we are constantly reminded about the diverse range of vulnerabilities that are present in web applications and web services. The very small selection of vulnerabilities you are proposing to become a testing criteria are far from representative of what our members see in the real world and therefore do not represent a fair or suitable test criteria.
In fact, it seems quite a coincidence that the issues you have chosen seem to closely mirror the issues that your technology category is typically able to detect, while ignoring very common vulnerabilities that cause serious problems for companies.
Robert Graham, Chief Scientist at Internet Security Systems, recently commented on application firewalls in an interview for CNET news. When asked the question “How important do you think application firewalls will become in the future?” his answer was “Not very.”
“Let me give you an example of something that happened with me. Not long ago, I ordered a plasma screen online, which was to be shipped by a local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digit number is a small number, so of course I got someone else’s user account information. And the reason that happened was due to the way they’ve set up their user IDs, by incrementing from a six-digit number. So here’s the irony: Their system may be so cryptographically secure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily. There is no application firewall that can solve this problem.
With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.”
This story echoes some of the fundamental beliefs and wisdom shared by the collective members of OWASP. Our experience shows that the problems we face with insecure software cannot be fixed with technology alone. Building secure software requires deep changes in our development culture, including people, processes, and technology.
We challenge the members of the Application Security Consortium to accept a fair evaluation of their products. WASP will work with its members (your customers) to create an open set of criteria that is representative of the web application and web services issues found in the real world. OWASP will then build a web application that contains each of these issues. The criteria and web application will be submitted to an independent testing company to evaluate your products.
You can submit your products to be tested against the criteria (without having prior access to the code) on the basis that the results are able to be published freely and will unabridged.
We believe that this kind of marketing stunt is irresponsible and severely distracts awareness from the real issues surrounding web application and web services security. Corporations need to understand that they must build better software and not seek an elusive silver bullet.
We urge the Consortium not to go forward with their criteria, but to take OWASP up on our offer to produce a meaningful standard and test environment that are open and free for all.
Contact: [EMAIL PROTECTED]
Website: www.owasp.org
Dre,
I havent changed my mind at all (I may have slightly softened but very slightly). Slammed at work and need to respond fully as well as to Stuart Kings comments on his blog about them.
Give me a few days and I will do a meaty blog post and drop me a note.
Cheers,
007
Mark,
Will do! Thanks for commenting — looking forward to your post!
Meanwhile the open Web Application Firewall Evaluation Criteria has been released and I hear the 2nd edition is in the final stages: http://www.webappsec.org/projects/wafec/
I do not see anything new in the message you are putting up. It’s an organisation, that deals with bad security products, and they are trying to get the vendors to play by the rules. That does not say a lot about WAFs. It’s rather an opninion about the salesbusiness in general.
I do not know if you attended the panel talk on PCI DSS 6.6 at this year’s OWASP Europe in Belguim (http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium).
The climax came, when Gary McGraw, from Cigital, stated that he strongly believes that doing Code Scanning (yourself!) is the only reasonable way to get better application security. Doing a scan and then repair the software including the design flaws if you found those too. This came two minutes after he stated that M$ is one of his biggest customers and some time after a statement, that scanning the application is not enough. You have to scan the whole software stack. From the application to the BIOS.
I was sitting next to Gary and replied, that unfortunately, we are not yet in a world, where you are able to scan (and repair!) the whole stack. And I am not sure we will be there tomorrow, as much as I would love it. Meanwhile, there is a niche for WAFs, when you are not able to fix it where it _should_ be fixed.
A world without a need for WAFs is a better place. You can continue to dream or install ModSecurity. I’m pragmatic at time and did the latter.
@ Christian Folini:
Have you read WASC’s WAFEC? It’s basically a marketing manual for WAF’s. I don’t see anything in there that would be useful to anyone: not even as a buyer’s guide.
Code Scanning (yourself!) is the only reasonable way to get better application security
Everyone assumes that because I’m anti-WAF and anti-WASS that I am pro-code-review or pro-SCA.
Nothing could be farther from the truth. In reality, Gary McGraw and I disagree. I think that unit testing, integration unit testing, and white-box dynamic analysis (as well as maybe some security-focused acceptance testing) are the best ways to handle software security issues.
we are not yet in a world, where you are able to scan (and repair!) the whole stack
Which is why I suggest new methods instead of simply `code scanning’. There are ways to improve web application security immediately through Continuous Integration (or the basic concept, dumbed-down), Test-first development (in small iterations is probably fine to start with), Dependency injection, Inversion of Control containers, and the other things that go with them. I also like the idea of `code scanning’ in small sprints as well, but that’s a very recent idea that I’ll have to explore further.
WAF is not the only “short-term” solution to the web application security problem — I personally, don’t see it as a solution at all to this problem because it is so narrow in what it can do. AOP and even DI can certainly change the scene significantly.
AOP and DI can affect everything — all of the code and every kind of software weakness. WAF affects 0-11 percent of the overall weakness exposure of a handful of web application attacks. That’s basically like saying “WAF’s do nothing”. Even with VA+WAF, this only rises to 20-29 percent of the overall weakness exposure, and it doesn’t add any specific weakness support that I’m aware of yet.
I’m pragmatic at time and did the latter
Everyone keeps using this word, “Pragmatic”. What they really mean to say is, “We want to target the older generation of information security people who make purchasing decisions at Fortune 500 companies, who don’t yet disagree with our perspective because they are not in the New School of Information Security”. It’s a marketing word and I’m getting really sick of it.
It also says, “You don’t think pragmatically because you don’t think like us”. I’ve been working in an operational role with networks, the Internet, and security for over 14 years at major companies during major times of security turmoil. I’ve been involved in ideas about web application defense, including WAF for almost 10 years now. Of course I think and act pragmatically about it.
Hey dre,
I like the WAFEC for what it is: A guideline to compare different products of the same class. The present edition is limited; I expect more from the upcoming one.
There is nothing wrong with new ideas to write better code. In fact you mention a few interesting ones. I am a weak coder so this is not an area where I can really contribute. But WAFs do not respond to that question. At least not in my eyes.
In fact, the WAF helps to limit the loss once the milk is already spilt. The code is already here, it is productive and it has problems.
Now everybody would want to go back and fix the code. But imagine you do not have the sourcecode ( I have heard this happen ;), the company who wrote it is long gone, the developer himself is living on an island in the pacific now, the documentation is written in Kyrillic and the potential loss of a breach is big. I know that this hardly ever happens in the real world. Maybe it is completely unrealistic. But if it happens to you, then maybe a WAF can help. If it’s in 11% of all cases, then so be it. In fact, do you have a source for your naked numbers?
Different approach: A WAF is a defense line in a multilayered setup. It’s not the silver bullet, but it can help if configured properly. There is nothing wrong with controlling what goes into your apache and what comes out.
Maybe the root problem of our disagreement is the perspective. If you look at it from a coding perspective, then it sounds like a bad patch to something that should be fixed at source code level. If you look at it from a sysadmin perspective, then a WAF gives you a handle, where the coder is beyond reach (in a useful timeframe).
@ Christian Folini:
In fact, do you have a source for your naked numbers?
Well, we know from studies that WASS (VA) only finds 20-29 percent of a specific class (e.g. just XSS or just SQLi) and that they don’t attempt every type of attack that is possible against web applications. With WAF’s, we know this is significantly less. Maybe you’re right that I was being overgenerous.
If you look at it from a coding perspective, then it sounds like a bad patch to something that should be fixed at source code level. If you look at it from a sysadmin perspective, then a WAF gives you a handle, where the coder is beyond reach (in a useful timeframe)
No, I’m not looking at this from only one perspective. I’ve worked in development, administration, network engineering, and all sorts of other roles. I am speaking about my dislike of WAF’s across the board.
To those security professionals or administrators out there that want to install a WAF — I think you’re wasting your time and should go find a developer who will listen to you. Learn how to share ideas with them, how to talk “their language”, and maybe learn a bit about development for yourself.
The `useful timeframe’ bit I certainly don’t understand. Have you ever worked in a production environment? You can’t simply slap WAF’s in like they are new batteries for your TV remote control. There are rules such as change management. Everything takes time and careful planning. WAF’s require experts in web application security.
Developers do not need to be experts in application security in order to write the right tests, or re-use those tests across projects. Once they have a good test program, making changes to help with security properties (or that fix critical security-related bugs) can be made before the next release. Releases happen very quickly in some organizations, and certainly pushing a specific release just to address security bugs isn’t a new concept to anyone.
Hiho,
This is developing into a dogfight without need. I like this blog and I started to comment because I felt like I could contribute with a point or two. If that is not welcome, then please delete my comments.
If you truely believe that this whole WAF thing is all crap and that it is easier to perfect the sourcecode to holiness, then that is fair with me. I don’t buy it, though.
But who am I to have an opinion here? I am only a fool running a knitting online forum for grandma and we try to protect her from the spam by her sister Tilly. Never heard about productive environments. I mean we never plan. We just install stuff and pray it works.
And as for these studies: Do you have more details like names and links? Sorry, if they are well known to everybody apart from me.
Hey Christian.. your comments are always welcome, I don’t think dre means to come off as an asshole or anything, he’s just real passionate about this stuff. I wrote a blog post the other day on ways I think WAFs could improve and where they’re useful. The number one area of improvement I think a WAF could use, is do egress/outbound filtering. There’s been some interesting research in the area done by several people from Fortify in a couple papers. Check it out, let us know what you think.
http://www.owasp.org/images/9/9d/OWASP-AppSecEU08-Madou.pdf
http://www.blackhat.com/presentations/bh-europe-07/Kureha/Whitepaper/bh-eu-07-chess-kureha-WP.pdf
Christian was civil and articulate and Dre is acting like an asshole.
Not everyone is out to get you, and a good point delivered in an ugly way is not going to change anyone’s opinion, so that behavior is lose-lose.
@ arshan & Christian:
You’re right. I was making assumptions and being overly-defensive. We’ll make it up in the next posts by having Marcin provide links to download the new Girl Talk album for some good tunes listening during our little war here. *lighters*
Who the hell is Girl Talk?
@ Marcin:
Music for kids your age.
@dre, business logic problems are created by people and only people can solve them. I’ve never heard any WAF enthusiast claim WAFs solve business logic problems, but I am hearing quite a few anti-WAF people using the argument in their rants. Do you also expect IDS/IPS products to solve business logic problems? Because WAF is just a silly name for what should really be called a web intrusion detection system–same thing as IDS/IPS, just with a better understanding of goes on in the HTTP layer.
As for your claim about WAFEC: I started WAFEC specifically to help people understand what WAFs can and cannot do. If you want to do the same then please send me some constructive comments, and they are likely to find their way into a future version.
@ Ivan Ristic:
I’ve never heard any WAF enthusiast claim WAFs solve business logic problems
Meet Jeremiah Grossman, VA+WAF enthusiast who claims that business logic problems can be solved by WAF. It’s good to see that you WAF enthusiasts collaborate so well!
If the case of “one hand doesn’t know what the other hand is doing”, this is another clear indicator that we should wait on WAF technology.
@dre, I hate to be persistent, but do you think there is any chance you will respond to my actual question about the suitability of IDS/IPS products to handle business logic flaws?
@ Ivan Ristic:
We’ll try to cover all of the issues we can during this week-long WAF thread. Thanks for bringing up some important issues. It seems to be that WAF ideas are just “all over the place”, lacking in any consolidating binding force, or any consistency to hold onto.
I think that network-based IPS was meant to act as a way to “virtual patch” a handful of specific exploits that do not yet have reliable and/or installed patches. What network IPS really does instead is not really a “patch”, but just another blacklist for exploits in clear format, with clear text. Did you know that there are potentially 70 or more known evasion methods for any given DCOM or similar exploit?
For host-based IPS, it depends on how the system works — whether NOEXEC, ASLR, or mandatory/rule-based access control (or even a simple closed-DAC). In the last case of authorization, business logic flaws apply more than in the other areas (I don’t see how they apply at all, unless you’re talking about evasion or similar). I guess don’t really understand the question.
If you’re talking about behavioral analysis or anomaly detection, I don’t feel that I have the exposure or experience with such products or theory to make a qualified statement.