I was looking through a presentation by .mario about PHPIDS (embedded below for your convenience), which got me thinking about Web Application Firewalls (or WAFs for short).
Currently I don’t see very much value in WAFs. My way of thinking goes something like this – there are two types of
web applications you might run on your server:
- Those you have the source code for (either because it’s open source, developed in-house or delivered in a source-code format)
- Those you don’t have the source code for
From what I’ve seen (disclaimer: I did not have the opportunity to use PHPIDS or mod_security in production yet), to really tailor the WAF for your site, you must have a detailed knowledge about the type of data expected. If you take the time to gain this knowledge, wouldn’t it be better/easier to fix the source code directly?
My conclusion is that WAFs can be a last-step preventative measure with their generic rules, however source code review is much more effective in finding (and fixing) the vulnerabilities. Probably most of you will say
we knew this already, but there are tendencies out there to equate the two (from what I understand the PCI guidelines presents the two as alternatives to one another).
PS. You should also check out the article over at nullbyte about how input validation is not the be all and end all of security.
PS no. 2: It may seem that I’ve been very dismissive of WAFs and would never use them. Just to clarify: I think that they should be used because they provide an other layer of defense (and also have a very good ROI from a business standpoint), however if you need some serious security (if you are handling sensitive information), you shouldn’t stop there.