|
-
January 27th, 2005, 08:39 AM
#11
I'm guessing you don't actually believe that, and you are just looking for the counterpoint that would justify your position as a consultant.
There are ways around firewalls, firewalls can be exploited, firewalls can be manipulated, firewalls are not foolproof. A consultants job isn't to just find holes, but to find design and infrastructure weakness. You may have a firewall for protection, but your job as a consultant is to make sure it's configured correctly and that policy is designed correctly among other things. If one layer is exploited, everything behind it suddenly depends on strong policies and designs. OWASP rings bells.
-
January 27th, 2005, 12:22 PM
#12
Member
In the interest of Security, I believe it to be bullshit and pray god that the following will not turn out to be true:
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
There is one word in the above statement that raises the debate "comprehensive". Security audits used to target the application that might be vulnerable. Having an "application firewall" in the front of the application means that we are testing the gateway and not the application.
-
January 27th, 2005, 12:27 PM
#13
There is one word in the above statement that raises the debate "comprehensive". Security audits used to target the application that might be vulnerable. Having an "application firewall" in the front of the application means that we are testing the gateway and not the application.
Actually, you can go a little bit further than that. It's the fact that it's still made by a human. There will always be flaws, regardless of whether there is a firewall. Instead you now have two things to test: the firewall and the application. You cannot assume that the firewall will stop things from happening. Additionally, if you test only the gateway and not the application an attacker can go past the firewall through a legitimate port or pathway to the application.
-
January 27th, 2005, 02:49 PM
#14
Additionally, if you test only the gateway and not the application an attacker can go past the firewall through a legitimate port or pathway to the application.
amen.
BTW, its a pretty common way to do that, since firewall are (usually) well tested by developer. I cant say that about some application developers that i know.. a lot of developers still allow that "or 1 = 1" on the logon screens 
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
January 27th, 2005, 06:04 PM
#15
Originally posted here by kautilya
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
Actually, companies such as @stake hire people well versed in software testing and web security to work with companies on making their web applications more secure. This happens through testing the software, running the applications that do this in an automated fashion, doing code audits, developer education, etc.
Firewalls do not solve the problem. Developers write bad code that can put customer data at risk. While automated solutions catch some of the vanilla problems that everyone makes, there are always one off problems due to custom made solutions or web application providers that the automated tool hasn't worked with yet.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
January 28th, 2005, 08:17 AM
#16
Member
Yes, I do hope and pray that what I said above should indeed become bullshit.
The point here is that "application firewalls" filter most vulnerabilities before they reach the "application".
If we have someone using a teros application gateway in front of their application, and then if we do a blackbox based remote ethical hacing test, we are testing the application firewall, not the application. This implies that web app security testing, the remote blackbox way does not make sense since the application firewalls are all ready tested products that the application deployers have bought.
I hope this adds a good smell to my ****.
-
January 28th, 2005, 12:29 PM
#17
Member
Sorry guys, I posted an unordered reply...
I am talking about "application firewalls" not "network firewalls"
-
February 2nd, 2005, 01:19 PM
#18
Member
I am talking about "application firewalls" not "network firewalls"
-
February 2nd, 2005, 03:13 PM
#19
Can you provide some names of these commercial application firewalls, for those of us not sure of the direction or subject of this thread? Just product names/links would be fine, to give me a point to go read up on the subject. Thanks!
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 2nd, 2005, 05:30 PM
#20
Member
sure - teros.com netcontinuum.com imperva
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
