RE: [WEB SECURITY] Inter-company scanning quandary

From: Martin O'Neal <martin.oneal_at_nospam>
Date: Fri Oct 05 2007 - 17:28:21 GMT
To: "Ryan Barnett" <rcbarnett@gmail.com>

> Insinuating that deploying a WAF (even if set
> in default mode and not closely managed) will
> make security worse is ludacris.

Pffft; who was insinuating? I think you'll find I was quite explicit in saying that adding a WAF wouldn't improve the situation and why. Good security isn't about bolting products on, it is about solid process and QA. Your suggestion for an alternative to scanning, a WAF, simply isn't a good one. It neither identifies the vulnerabilities in the environment, nor is it any good for fixing the underlying problem (the flawed processes).

Martin...

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

This message: [ Message body ]
Next message: Schmidt, Albert E: "RE: [WEB SECURITY] Inter-company scanning quandary"
Previous message: Ryan Barnett: "Re: [WEB SECURITY] Inter-company scanning quandary"
In reply to: Ryan Barnett: "Re: [WEB SECURITY] Inter-company scanning quandary"
Next in thread: Schmidt, Albert E: "RE: [WEB SECURITY] Inter-company scanning quandary"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]