Saturday, January 12, 2008

App Scanners vs. App Firewalls

If you’ve been around the Application Security world for any amount of time, you have probably listened to or participated in lengthy discussions on this topic.

The big question ... "Do I scan my application and fix my code or do I install an Application Firewall and block attacks?" It’s always interesting to hear different viewpoints from folks on what they would do given a particular situation so I thought, why not throw down a few thoughts.

I hold the belief that both solutions provide a valid option (given a particular situation). I must admit, I have deployed Application Firewalls and have purchased scanners ... both provided the necessary solution at the time of need. Here are a few of the things that I found.

Application Vulnerability Scanners


  • Cost Effective (much cheaper than application firewalls)
  • Ability to assist in remediation of the actual problem
  • Easy to implement... no infrastructure changes needed
  • Very easy to use


  • Most perform either blackbox OR whitebox testing
  • Difficult to get developers to adjust their code once issues are discovered (most reports go into the magic cylinder next to their desks)
  • False positives can be difficult to validate
  • Scanning can sometimes be performed after an attack and do not offer a real secure solution for those who do not implement code changes correctly (but...i must admit... the solutions offered for remediation in these tools has become so simple that a cave-person could do it ....(avoiding trademark issues)

Application Layer Firewalls


  • Provide proactive protection strategy and allow for actual attacks to be blocked or filtered
  • Developers can go back to functionality as a strategy
  • Security team can pretty much go back to sleep and take on a less annoying roll


  • Expensive!
  • Infrastructure Changes
  • Administration and Configuration: Not as easy to configure and maintain as some folks would lead you to believe. we have thrown out a list of goods and bads ....what the answer? Personally speaking ...fix your damn code. Period. Why put a band-aid on a open wound and allow it to bleed...pretty soon, you need to apply some pressure.

If you are seeking out a few solutions, you might begin with a couple of the market leaders:

Scanning Solutions:

Application Firewalls: