SEARCH RESULTS
 
Showing 1-7 of 7 records
1
 
Expand article

WAF Better Than Code Review? Not Really.

2008-04-16 02:00:33 by Chris Eng in Zero in a bit
 
...WAF) must be installed. Anyway, in this article, PCI-DSS General Manager Bob Russo makes the following statement Personally, Id love to see everyone go through on OWASP-based source-code review, but certainly, thats not going to happen, Russo said, referring to the expensive and time-consuming process of manual code reviews. So the...
 
Tags: waf, application firewall, web application firewall, manager bob russo, russo, manual code reviews, security vulnerabilities, clarification, attacks
 
 
 
 
Expand article

The Business Case for WAFs + Testing

2008-06-19 18:09:06 by Bill in Grumpy Security Guy
 
...WAF hater camp but we saw that in this case it made total sense. The customer deployed a WAF, configured it using our vulnerability data, and was able to mitigate the risk in about 3 weeks Bottom line and what people continually fail it understand is that every current solution on the market today has its short comings. In security everything...
 
Tags: application, web application security, security, massive application, mod security, web application firewall, web site security, robust solution, solution
 
 
 
 
Expand article

Fun Reading on Security - 5

2008-07-11 17:57:00 by Dr Anton Chuvakin in Anton Chuvakin Blog -
 
...WAF battle rages on ( here and in many other places). PCI + June 30 + 6.6 + WAF = BOOM How do you protect from IT admins "going bad?" Separate data and infrastructure (easier said than done, for sure). Another related one is " Staff more dangerous than hackers Curious about PCI DSS compliance outside the US? Read this and this . Yes, it is...
 
Tags: security, information security, information security checklist, security risks, fun, security future, security idiot, sillyuseless security solutions, fun dailydave thread
 
 
 
 
Expand article

The Big Announcement

2008-03-13 00:03:25 by Bill in Grumpy Security Guy
 
...WAFs, bleh. Plus I mean didnt we already try scanners + WAFs before? Oh yeah the total trainwreck that was AVDL.So one thing I failed to realize was that Jeremiahs approach is a bit different and when combined with WhiteHat Sentinel (aka NOT a scanner) it is a no brainer WAFs generally struggle in a few different areas, the people running...
 
Tags: vulnerabilities asap, vulnerabilities, app, web app, web application vulnerabilities, vulnerability, sentinel, business, default deny policy
 
 
 
 
Expand article

Security Briefing: June 10th

The Article has images
2008-06-10 14:47:41 by Dave Lewis in Liquidmatrix Security Digest
...WAF wont prevent | ZDNet Tags: News , Daily Links , Security Blog , Information Security , Security News
 
Tags: security, information security, verizon security official, security news, liquidmatrix security, news, security blog, security holes, web security standard
 
 
 
 
Expand article

Minimizing the Attack Surface, Part 2

2008-07-07 21:10:25 by Chris Eng in Zero in a bit
 
...WAF? It doesnt have to. Certainly, one option would be to whitelist each and every unique URL that references the DWR framework, e.g dwr/call/plaincall/myMethod1 /dwr/call/plaincall/myMethod2 /dwr/call/plaincall/myMethod3 But then youd have to update the whitelist every time you added or removed functionality from your application. Also, dont...
 
Tags: dwr-invoker dwr, dwr-invoker, dwr library, dwr, library, security, dwr dispatcher, security posture, point-in-time application profile
 
 
 
 
Expand article

Run Through PCI DSS 1.2 Changes

2008-08-26 11:38:00 by Dr Anton Chuvakin in Anton Chuvakin Blog -
 
...WAF or code review for web application security is still a stupid "OR" - Req 6.6. OMG, please, software security folks , teach them the truth Can we kill "plain text passwords" once and for all? Req 8 tries to achieve that noble goal (good thing Visit your offsite data storage - good (if costly) idea - added to Req 9. Requirements to secure...
 
Tags: req, pci dss, offsite data storage, insecure wireless, audit trail history, silly log dumps, wireless, plain text passwords, vulnerability stuff
 
 
 
 
 
Showing 1-7 of 7 records
1
 
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia