top | item 24522901

(no title)

Right but I’m the context of antivirus you’re executing unconstrained data in an unconstrained environment, in appsec you can handle data correctly rather than rely on a third party product that can’t contextualise or assess the impact of a payload on your application. I work in appsec and think WAF filtering is snake oil.

discuss

laumars|5 years ago

You clearly haven’t worked in appsec that long if you haven’t already come across dozens of third party code bases that are supported either by people who don’t code or by over stretched developers that have no love for those specific platforms. Think low margin Wordpress sites, a CEOs friends Magento shop that your business ends up hosting for free, or some other CMS that predates the majority of your dev team (all of these cases I’ve personally experienced). Basically anything that adds enough value to the business to justify the hosting fees but not enough to justify development resource and thus often gets forgotten about. I’ve seen these instances pop up time and time again and while there is always the best of intentions keeping up with patches, WAF does at least increase the margin for error.

Bnshsysjab|5 years ago

Or maybe I’m just not scraping bottom of the barrel when it comes to security assessments. If the software is at that point the organisation is well and truly fucked, waf or not.

hombre_fatal|5 years ago

You need to tweak your understanding of appsec to realize that most websites are run by non-technical people running old versions of off the shelf software attacked almost exclusively by automated drive-by attacks mass-scanning the internet.

If you don't see how WAFs could be useful, you may have been in the HN bubble too long thinking every website is some hand-coded Flask app.

Bnshsysjab|5 years ago

You need to tweet your view of security requirements if you want to provide IT functions to users. Yes they are a nice to have, yes the cost of a data breach either to you or the user are highly damaging.

There’s nothing stopping most industries doing something stupid in the current state of things but I’m sure there will be in the future, you should be legally liable for your consumer data, irrespective of if you’re ‘nontechnical people running old versions of off the shelf software’ or not, mistakes happen, but failing the most obvious stuff in infosec is, IMO, criminally negligent. Waf or not.