[Bnshsysjab]

Right but I’m the context of antivirus you’re executing unconstrained data in an unconstrained environment, in appsec you can handle data correctly rather than rely on a third party product that can’t contextualise or assess the impact of a payload on your application. I work in appsec and think WAF filtering is snake oil.

[laumars]

You clearly haven’t worked in appsec that long if you haven’t already come across dozens of third party code bases that are supported either by people who don’t code or by over stretched developers that have no love for those specific platforms. Think low margin Wordpress sites, a CEOs friends Magento shop that your business ends up hosting for free, or some other CMS that predates the majority of your dev team (all of these cases I’ve personally experienced). Basically anything that adds enough value to the business to justify the hosting fees but not enough to justify development resource and thus often gets forgotten about. I’ve seen these instances pop up time and time again and while there is always the best of intentions keeping up with patches, WAF does at least increase the margin for error.

[Bnshsysjab]

Or maybe I’m just not scraping bottom of the barrel when it comes to security assessments. If the software is at that point the organisation is well and truly fucked, waf or not.

[laumars]

A company running on off-the-shelf CMS for a product that adds value but isn’t part of the core business so that they can focus of the hard problems that differentiates themselves from their competitors is absolutely the correct way to run infrastructure.

You do actually realise that a significant amount of national and international news sites are actually powered by offs-the-shelf components and often even Wordpress? Equally true is the number of independent shops that run off-the-shelf applications. Then you have SaaS solutions that run a hosted blog (not everyone has switched to Medium), shops that still run message boards, and so on and so forth.

It’s got absolutely nothing b to do with the organisation failing and everything to do with investing your expensive talent on the problems that differentiate your business.

It’s easy to say “I work in yadda yadda yadda” anonymously but you’re still massively misrepresenting how the industry actually works with your sweeping generalisations. And if you were half as experienced as you pretend, you’d already know that. For example there is another use case of WAFs that hasn’t yet been discussed: automatic blacklisting. If they detect suspicious activity hitting services under the WAFs control they can automatically blacklist that source across all customers using that WAF service. This is similar to how fail2ban works but at a cloud level and with the added bonus of saving your sysadmins/DevOps engineers the pain of adding and maintaining thousands of apache / nginx rules themselves.

Let’s also not forget that there is good money to be made off consulting for those companies that are “fucked” and guiding them through best practices and low maintenance security models. That can often be a rewarding job in its own right (depending on the business).

[Bnshsysjab]

I’ll ignore your condescending dribble but:

> Let’s also not forget that there is good money to be made off consulting for those companies that are “fucked”

Where the hell are your ethics?

[Bnshsysjab]

No it’s not recommending snake oil and telling them to do things properly instead I don’t. Care if that makes the security industry dry up, my only hope is that if it does the snake oil salespeople die with it.

[detaro]

So your approach of "not scraping bottom of the barrel" and not helping such companies is more ethical?

[Bnshsysjab]

See comment on parent.

[hombre_fatal]

You need to tweak your understanding of appsec to realize that most websites are run by non-technical people running old versions of off the shelf software attacked almost exclusively by automated drive-by attacks mass-scanning the internet.

If you don't see how WAFs could be useful, you may have been in the HN bubble too long thinking every website is some hand-coded Flask app.

[Bnshsysjab]

You need to tweet your view of security requirements if you want to provide IT functions to users. Yes they are a nice to have, yes the cost of a data breach either to you or the user are highly damaging.

There’s nothing stopping most industries doing something stupid in the current state of things but I’m sure there will be in the future, you should be legally liable for your consumer data, irrespective of if you’re ‘nontechnical people running old versions of off the shelf software’ or not, mistakes happen, but failing the most obvious stuff in infosec is, IMO, criminally negligent. Waf or not.