Gunnar -- agreed. And for all the "fake security" in the name of PCI going on right now out there -- let's also keep in mind that it is completely valid and legitimate to attempt to operationalize software security.
We scoff because to date it hasn't been done well (at all). That is just as much a technology as people problem. I know WAFS can be used fairly effectively. The recent SQL Injection bots, and folks who survived them through attack- vector filtering, are good examples of increased survivability through use of this technology. I suspect there's a backlash coming to the magic-pizza-box WAF vendors. The "magic elf inside" auto protection just does not work in most enterprise scenarios. Tangential to PCI -- the self-proclaimed top vendor in the PCI WAF space with "super-auto-learning" is losing several top accounts I've confirmed, from VARs and customers directly. Including customers on their "case studies" page. The customers ditching the "auto-learning" WAF are still using a WAF. They are just replacing it with a different kind of WAF. The two approaches I see being investigated as part of a WAF 2.0 strategy are: (a) virtual patching e.g.- only protecting things known to be weak, and (b) Fortify's code-shim "WAF" approach. Disclaimer: I work on a solution of type (a). Agreed on the people problem. There's a technology problem here too, though. And it's not a small one. Many of us throw out the baby with the bathwater due to the technology problem and the insane vendor marketing around it we've been dealing with for years. When many of our technology solutions still don't do what they say they have been able to do for 4 or 5 years, maybe it's time to start blaming some new people. -- -- Arian J. Evans. Software. Security. Stuff. On Mon, Jun 30, 2008 at 7:17 AM, Gunnar Peterson <[EMAIL PROTECTED]> wrote: > for the vast majority of the profession - slamming the magic pizza box in a > rack > is more preferable than talking to developers. in many cases the biggest > barrier > to getting better security in companies is the so-called information security > group. it has very little to do with technology, its a people problem. > > -gp > > Kenneth Van Wyk wrote: >> Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear >> often.) >> >> http://www.internetnews.com/ec-news/article.php/3755916 >> >> In talking with my customers over the past several months, I always find >> it interesting that the vast majority would sooner have root canal than >> submit their source code to anyone for external review. I'm betting PCI >> 6.6 has been a boon for the web application firewall (WAF) world. >> >> >> Cheers, >> >> Ken >> >> ----- >> Kenneth R. van Wyk >> SC-L Moderator >> KRvW Associates, LLC >> http://www.KRvW.com >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) [email protected] >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> _______________________________________________ > _______________________________________________ > Secure Coding mailing list (SC-L) [email protected] > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
