Tuesday, May 20, 2008

WebAppSec meets the NFL

Ryan Barnett of Breach Security has a great post up on how to think about outcome-based metrics in a web application security world, instead of always being input-centric.

“We are focusing too much on whether a web application's code was either manually or automatically reviewed or if it was scanned with vendor X's scanner, rather than focusing on what is really important - did these activities actually prevent someone from breaking into the web application? If the answer is No, then who really cares what process you followed. More specifically, the fact that your site was PCI compliant at the time of the hack is going to be of little consequence.”

Spoken like a man who’s actually had to defend a website before, the U.S. federal ATF website incidentally. I bet he has some great stories he can never tell either. :) Ryan’s NFL analogies are borrowed from Richard Bejtlich, but I loved how he expounded upon them with his own.

“…vulnerability scanning in dev environments is akin to running an Intra-squad scrimmage.”


“Running actual zero-knowledge penetration tests is like Pre-season games in the NFL.”


“Web application firewalls, that are running in Detection Only modes, are like trying to have a real football game but only doing two-hand touch.”


LOL. Brilliant!

2 comments:

Anonymous said...

"Web application firewalls, that are running in Detection Only modes, are like trying to have a real football game but only doing two-hand touch"

I don't know anybody elses definition of a Firewall, but for me a Firewall blocks. He means an IDS? then again I can't see use in an IDS without and IPS, but hey that's me.

Ronald.

Ryan said...

Ronald - your comment is the perfect example of why I hate the fact that the name "web application firewall" was the name that stuck for this type of security device. As you stated - anytime someone hears the word firewall, there is an implied blocking aspect however detection and prevention are two separate functions. There are many WAF users who do not block and are instead using it as either an http-level auditing device or a finely tuned web IDS system.

We actually had a good discussion of that value of WAFs in Listen-Only mode on the WebAppSec mail-list earlier this year - http://www.webappsec.org/lists/websecurity/archive/2008-01/msg00022.html