If you’ve been around the Application Security world for any amount of time, you have probably listened to or participated in lengthy discussions on this topic.
The big question ... "Do I scan my application and fix my code or do I install an Application Firewall and block attacks?" It’s always interesting to hear different viewpoints from folks on what they would do given a particular situation so I thought, why not throw down a few thoughts.
I hold the belief that both solutions provide a valid option (given a particular situation). I must admit, I have deployed Application Firewalls and have purchased scanners ... both provided the necessary solution at the time of need. Here are a few of the things that I found.
Application Vulnerability Scanners
- Cost Effective (much cheaper than application firewalls)
- Ability to assist in remediation of the actual problem
- Easy to implement... no infrastructure changes needed
- Very easy to use
- Most perform either blackbox OR whitebox testing
- Difficult to get developers to adjust their code once issues are discovered (most reports go into the magic cylinder next to their desks)
- False positives can be difficult to validate
- Scanning can sometimes be performed after an attack and do not offer a real secure solution for those who do not implement code changes correctly (but...i must admit... the solutions offered for remediation in these tools has become so simple that a cave-person could do it ....(avoiding trademark issues)
Application Layer Firewalls
- Provide proactive protection strategy and allow for actual attacks to be blocked or filtered
- Developers can go back to functionality as a strategy
- Security team can pretty much go back to sleep and take on a less annoying roll
- Infrastructure Changes
- Administration and Configuration: Not as easy to configure and maintain as some folks would lead you to believe.
Ok....so we have thrown out a list of goods and bads ....what the answer? Personally speaking ...fix your damn code. Period. Why put a band-aid on a open wound and allow it to bleed...pretty soon, you need to apply some pressure.
If you are seeking out a few solutions, you might begin with a couple of the market leaders:
- SPI Dynamics WebInspect (blackbox testing), DevInspect (blackbox and whitebox testing)
- Cenzic Hailstorm