Larry Suto, an application security consultant, publish a sequel to his 2007 best seller research about web application scanners. In the first round Larry managed to ignite quite a controversy and drew a lot of criticism from the loosing vendors.
WAFs are not perfect, but is any security tool perfect?
By Ofer Shezaf - Posted on February 9th, 2010
Tagged:
Presentation about WAFs in the cloud
By Ofer Shezaf - Posted on January 15th, 2010
Tagged:
In a recent OWASP meeting I gave an overview presentation on how WAFs interact with cloud computing, both utilizing the cloud and protecting cloud based applications. I have discussed the following scenarios:
The curse of PCI for WAFs
By Ofer Shezaf - Posted on January 11th, 2010
An enlightening case study presented by ArgoWorks, an Armorlogic reseller, highlights the benefit that PCI brings to the WAF market but also the its curse.
A New Year, a New Acronym
By Ofer Shezaf - Posted on January 9th, 2010
Tagged:
DragonSoft from Taiwan has introduced what they label a "Personal Web Application Firewall". The new product is essentially a low cost IIS plug-in and the "personal" label refers to the price rather than to some desktop protection.
Are the Guardium and GreenSQL deals precursors to the WAF market?
By Ofer Shezaf - Posted on November 29th, 2009
Two significant events in the database security market occurred this week. On the one end of the spectrum Guardium, a late stage database security startup, was purchased by IBM for $225 million.
Ivan Ristic releases a ModSecurity book!
By Ofer Shezaf - Posted on November 16th, 2009
Tagged:
A new ModSecurity book, of for that matter WAF book, is rare enough and I was overjoyed that one ModSecuirty book was released earlier this week. What can I say now that two ModSecurity books where released in the same week!
New WAF bypass method take advantage of comment anti-evasion
By Ofer Shezaf - Posted on November 3rd, 2009
Tagged:
A new blog post by Dmitry Evteev shows how an obscure MySQL syntax can be used to bypass ModSecurity signatures. The interesting thing is that the new technique actually takes advantage of a ModSecurity anti-evasion measure.
WAFs Appearing on Gartner's Radar
By Ofer Shezaf - Posted on May 24th, 2009
One of the repeating themes in my conversations with vendors and experts on the WAF market is the lack of analyst coverage. Such coverage provides an important validation to an emerging market. It also helps to define the market, differentiating it from other market segments. And lastly it makes the corporate buyer's life easier when trying to navigate between all the choices. In short, many feel that the lack of analyst coverage limits the growth potential of the WAF market.
RSA WAF Trend: WAF in the cloud
By Ofer Shezaf - Posted on April 22nd, 2009
Tagged:
As usual, RSA is the time of year companies choose for major announcements. The WAF announcements this year focus, following the general computing trend, around cloud computing:
- Art of Defense, a WAF vendor from Germany, has launched its SaaS WAF solution which target mostly service providers and SaaS vendors.
- Savvis, a web hosting turning into cloud services company, has added WAF in the cloud offering based on Imperva SecureSphere WAF.
- SecureWorks, a managed security services provides, announced full management for Imperva SecureSphere and monitoring for other WAFs.
Two challenges facing WAFs in the cloud are bandwidth and complexity.
GreenSQL released!
By Ofer Shezaf - Posted on April 13th, 2009
Tagged:
I love open source software, however not many open source projects make it and become an enterprise grade solution. In the security field only a handful of projects have succeeded in doing so: snort,Nessus and ModSecurity come to mind. GreenSQL, the only open source database firewall is on its way to achieving this: Its first non beta version, labeled appropriately 1.0 was just released.
