Hacker News new | ask | show | jobs
by hombre_fatal 2097 days ago
> Instead

You're misunderstanding the market.

The point of Cloudflare WAF isn't to be a main line of defense for HN readers, it's to stop the low effort automated drive-by attacks for websites that were already hosed. Like WAFs that block /wp-admin/* and instead generate a new segment.

I'd be surprised if there was a single person in the world who is going to go "oh right I should replace Cloudflare WAF and my sqli with some parameterized queries!"
3 comments
Bnshsysjab 2096 days ago
I think ‘stop wasting time on dumb stuff and focus on actual security’ is a good take home for the HN crowd. Time and money is finite, so spend it wisely.
link
btown 2096 days ago
It's also "Hey the superstar on the sales team just launched a new Wordpress blog that everyone likes, just wanted to let you know" and you have no time for a detailed security audit. Put it behind Cloudflare and at least you're more protected than you were!
link
Bnshsysjab 2095 days ago
Nah you pull it offline and tell them to follow correct procurement and development practices. If your development teams aren’t talking to your security teams you have bigger problems than Wordpress.
link
gregmac 2095 days ago
Consider: Your org is more likely to be run by people that are like the sales people than like you. Who do you think they side with, when sales goes up the chain to complain development broke their new initiative and is saying it'll take 4x longer to do the thing they already did themselves, and as a direct result means they won't hit revenue numbers this quarter?

What's even the risk here? Some minor marketing sub-site gets defaced, causing - at worst - an embarassing but instantly-forgotten incident?

link
Bnshsysjab 2095 days ago
No the risk is that somebody has decided to disregard security and general security process and create shadow IT, which if left unchecked will create massive problems within the organisation long term. If the culture is to disregard security, throw a waf infront and call it a day then they’ll pay for it financially (and possibly legally) in the long run and not something I’d want to associate with at all.
link
z3t4 2096 days ago
So basically you say that those who care about security and sound engineering practices should quit software development, because it's a lost cause?
link