[jiggawatts]

I work at medium to large government orgs as a consultant and it’s entertaining watching beginners coming in from small private industries using - as you put it - consequentialism and virtue ethics to fight against an enterprise that admits only duty ethics: checklists, approvals, and exemptions.

My current favourite one is the mandatory use of Web Application Firewalls (WAFs). They’re digital snake oil sold to organisations that have had “Must use WAF” on their checklists for two decades and will never take them off that list.

Most WAF I’ve seen or deployed are doing nothing other then burning money to heat the data centre air because they’re generally left them in “audit only mode”, sending logs to a destination accessed by no-one. This is because if a WAF enforces its rules it’ll break most web apps outright, and it’s an expensive exercise to tune them… and maintain this tuning to avoid 403 errors after every software update or new feature. So no-one volunteers for this responsibility which would be a virtuous ethical behaviour in an org where that’s not rewarded.

This means that recently I spun up a tiny web server that costs $200/mo with a $500/mo WAF in front of it that does nothing just so a checkbox can be ticked.

[sebazzz]

Oh man, web application firewalls and especially Azure Application Gateway are the bane of my existence. Where I work they literally slap an Azure Application Gateway instance on every app service with all rules enabled (even the ones Microsofts recommends not to enable) in block mode directly when provisioning the stuff in Azure. The app is never observed in audit mode.

Result is that random stuff in the application does not work for any user, or only for some users, because some obscure rule in Azure Application Gateway triggers. Especially the SQL injection rule of Azure Application Gateway seems to misfire very often. A true pain to debug, then a true pain for the process to get the particular rule disabled.

And then not even to start about the monthly costs. Often Azure Application Gateway itself is more expensive than the App Service + SQL Database + Blob Storage + opt. App Insights. I really think someone in the company got offered a private island from Microsoft for putting Azure Application Gateway as a mandatory piece in the infrastructure of every app.

Yes, our most of our security has been outsourced to cheap workers in developing countries like India, which are of course rated on maintaining the standard and not rated on thinking and understanding what you want and putting things in context, and probably also work 60-70 hours per week during ungodly times so you can hardly blame them. It is truly the process that is broken.

[vrighter]

Well what if they were intelligent and could actually really understand the data and its schema before deciding whether to allow or reject the request... wait... that's just the application itself.

[jiggawatts]

It all boils down to trust. Management don’t trust the developers to do the right thing because they outsourced development to the lowest bidder. They futilely compensate for this by spending a mere $500/mo for a WAF.

MBA thinking at its finest…

[lll-o-lll]

So WAF. Bad? I don’t know enough about it. If it’s just a way to inject custom rules that need to be written and maintained, the value seems low or negative. I had hoped you got a bunch of packages that protected against (or at least detected) common classes of attacks. Or at least gave you tools in order to react to an attack?

[ozim]

Just slapping WAF in front of your services without configuring and maintaining rules is bad.

Without someone dedicated for maintenance of WAF it is just a waste. Where not many companies want to pay for someone babysitting WAF and it can be full time job if there is enough changes on layers behind.

[dataflow]

> they’re generally left them in “audit only mode”, sending logs to a destination accessed by no-one.

Aren't these still useful for figuring out what happened if you're hacked?

[lmm]

Maybe, if the attacker didn't bother to hack into the WAF itself (generally a softer target than whatever's behind it) and if you bothered keeping or understanding the logs (extremely unlikely to be a good use of resources).

[dataflow]

You don't need to understand the logs at the time you gather them for this, you just need to keep them long enough to cover the breach, and to be able to understand them after the fact. Hardly seems like an obvious waste to me, and well worth $500/mo.

[lmm]

> you just need to keep them long enough to cover the breach, and to be able to understand them after the fact

And avoid leaking customer information/passwords/etc. through them until then, which is the hard part.

[djbusby]

Yep. I've seen WAF in "audit mode" and it's got load of client API keys in there, among other fun things.

Check the box for WAF but adds a new risk.

[tryauuum]

can it even be considered a firewall if it's running in an "audit only mode"?

[TeMPOraL]

(Corporate IT sec answer): it says "firewall" in the name, so yes.

[jiggawatts]

This is the correct answer!

Every corporation over a certain size has a rule that everything needs a firewall in front of it… even if the something is a cloud service that only listens on port 443.