A New Year, a New Acronym

DragonSoft from Taiwan has introduced what they label a "Personal Web Application Firewall". The new product is essentially a low cost IIS plug-in and the "personal" label refers to the price rather than to some desktop protection. Since the press release itself mentions that the product is signature based, we at Xiom classify it as an IPS and not as a WAF in our product directory.

The blurring of the different between IPS and WAF is a serious problem not just to the WAF market but also to the state of application security. Essentially today anything that applies signatures to parsed HTTP traffic is proclaimed as a WAF. A good example of this is a blog post by bmestep that stresses the differentiate between IPS and WAF but go only as far as discussing the level at which signatures are applied completely missing other important factors such as positive security and session based protection which are essential for providing web application protection.

The problem lies in the lack of standardization. While WAFEC, the only available standard for WAFs, clearly does not include solutions such as DragonSoft's in its definition, it was not adapted by leading industry players. Most notably the fact that the PCI council has not created any WAF certification and every vendor can just claim to be PCI 6.6 compliant is troubling.