| Main Archive Page > Month Archives > websecurity archives |
Re: [WEB SECURITY] Inter-company scanning quandary
From: Ryan Barnett <rcbarnett_at_nospam>Date: Fri Oct 05 2007 - 16:44:13 GMT
To: "Martin O'Neal" <martin.oneal@corsaire.com>
On 10/5/07, Martin O'Neal <martin.oneal@corsaire.com> wrote:
>
>
> > I would think that an appropriate compromise would
> > be for Company Y to agree to deploy a web application
> > firewall as it would not be as "intrusive" as a scanner
> > against the site.
>
> Company Y has already demonstrated poor process. Adding another product
> to the equation in isolation will mean just another product that won't
> be managed. But worse than that, it will likely provide a false sense
> of security; thereby increasing the problem, not reducing it.
Insinuating that deploying a WAF (even if set in default mode and not closely managed) will make security worse is ludacris. I understand your general points however the context of the original email was whether or not they should run a scanner against the site. I was simply pointing out an alternative approach.
Customers have the right to mandate that hosting companies meet certain requirements before signing on with them. It is too bad that the normal security policies/checks (SAS-70, etc...) don't really cover web specific issues. Say what you want about PCI, at least it shines some light onto the web security posture.
Conversely, if however company Y has turned over a new leaf and fixed
> their process comprehensively, then the app firewall will function as an
> expensive fan-heater...
If by "expensive" you mean "free" with ModSecurity then I agee.
So then, hands up class; who benefits from company Y buying a web app
> firewall? :)
Hmm... So then, hands up class; who benefits from company Y fixing their process comprehensively through IT Sec Consulting Services? :)