[SC-L] Another WAF in town

[Wall, Kevin]

> Interesting approach. Curious to know if this will satisfy a
> PCI auditor as a compensating control (section 6)

I think that's presently untested and therefore likely unknown.
I would guess it depends on the auditor's perspective. On one
had, having a separate WAF appliance provides you with separation
of duties so it's harder for a dev team to configure the WAF so
it accepts everything (much like I've seem some folks use a regex
of ".*" for things in Struts validators that they haven't gotten
around to thinking more deeply about). On the other hand, the
dev team is in a much better position to truly customize the rule
set to use an actual whitelist approach. The mod_security WAF
approach generally leads to a signature-based, black-list approach.
So I can see pros and cons to each. But for a clueful dev team,
this could be a big asset if they are willing to take the time to
do things right.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html