This blog has moved! Please update your
bookmarks to http://www.blog.modsecurity.org.
Posted by ivanr on March 02, 2005.
Some people seem to think that, because I develop a web application firewall, I think web application firewalls are the best thing since sliced bread, and the solution for all web application security problems. It does not happen often but when it does itís really annoying. Since I donít believe blindly in web application firewalls I find it really boring to explain my opinion on this subject over and over again. So I thought it would be a good idea to write about it here, and be able to just point these people to my blog and get done with it. So here it is.
In theory, web application security is easy. By now we can say the subject is well researched and documented, so the ďonlyĒ thing we need to do is work with people who understand it. In real life, however, there will be many obstacles. (These obstacles are not specific to web application security, but to security in general. You could even expand the scope to include software quality to some extent. But I digress.) Some of the problems are:
Life becomes much easier once you accept you will fail. To deal with the problem (in this case ďdealĒ means minimize the chance of total failure) people invented an approach called defense in depth. By now, defense in depth is a well-known and widely accepted security principle. The basic idea is that you donít want to put all your eggs into the same basket. Instead, assuming any part of the system can fail, you look for ways to configure other parts, or introduce new parts to limit the effect of the failure. The principle is easier to understand with an example. A good defense strategy would include the following elements:
The above list is just an example. I could go on adding more and more security elements. But even a short list such as this one is sufficient to demonstrate how the defense in depth principle dictates the use of multiple redundant protection systems.
As we can now see, web application firewalls are just one of the elements in the bigger picture. The way I see it, their major advantages are:
This is just the stuff intrusion detection and prevention systems have been doing for many years now. The only difference is web application firewalls understand HTTP better.
Finally, there is an important truth to understand. Generic web application firewalls, same as intrusion detection systems, are only good as the people managing them. Out of the box they donít do much (although you will be hard pressed to get many of the vendors to agree). They must be configured properly by skilled people in order to become effective.
Posted by ivanr at March 2, 2005 03:03 PM