Solutions Accuracy

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.

Amichai Shulman, Imperva's CTO presented in Source Barcelona today an innovative solution for detecting men-in-the-browser attacks by the web server itself. The interesting aspect of the solution is that it relies on logic that goes unencrypted through the attacker code. As such, there is no way to prevent the attacker from interfering and therefore bypassing detection.

Larry Suto, an application security consultant, publish a sequel to his 2007 best seller research about web application scanners. In the first round Larry managed to ignite quite a controversy and drew a lot of criticism from the loosing vendors. The reason is simple: Larry found out that the scanners do not perform as well as advertised.

An enlightening case study presented by ArgoWorks, an Armorlogic reseller, highlights the benefit that PCI brings to the WAF market but also the its curse.

When asked why he bought a WAF, the director of application technology at Southern Utah University admitts that the reason was PCI. PCI is a very common reason for implementing a WAF and as such is usually considered as a boon to the WAF market. 

DragonSoft from Taiwan has introduced what they label a "Personal Web Application Firewall". The new product is essentially a low cost IIS plug-in and the "personal" label refers to the price rather than to some desktop protection. Since the press release itself mentions that the product is signature based, we at Xiom classify it as an IPS and not as a WAF in our product directory.