Larry David and Web Application Firewalls

ld.jpg I’m a big fan of Curb Your Enthusiasm. If you’ve not encountered this excellent sitcom, it’s about Larry David (left), the co-creator of Seinfeld, who plays himself as he goes about his everyday life with his wife, Cheryl. Larry has a way of saying the things most of us would like to say but would be deemed as being too socially unacceptable. For instance, on one occasion he orders a drink in Starbucks

Larry: This is very good, by the way. Thank you. Is this a cafe latte? What is that? Milk..
Starbucks employee: Milk, uh..
Larry: Milk and coffee.
Starbucks employee: Milk and coffee, yeah.
Larry: Milk and coffee! Who would’ve thought? Milk and coffee!
Cheryl: You know, we need to go now.
Larry: Oh my god, what a drink! It’s milk and coffee mixed together! You’ve gotta go there! Sit down, have a doughnut! Have a bagel!

I’ve been accused of being a bit like Larry. I don’t think so. For starters I’m not in the slightest bit wealthy, neither am I American. However, I might say things you wont necessarily agree with. For example on web application security I said “we should take a different approach….stick a ruddy great application firewall in front of everything.”  Somebody responded to that one saying “It’s like recommending Advil for diabetes” and called me insane. Somebody else told me I was “plain mad.” (see here).

However, I am not alone in voicing reasons to be using the technology.

To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.

This approach lets us mitigate the problem now giving us breathing room to fix the code when time and budget allow.

The quote above is from an article published this week in CSO Online, written by Jeremiah Grossman. Jeremiah also talks about WAFs over on his excellent blog and goes into more detail about their purpose and limitations . For example

WAFs don’t defend against every logic flaw, or even every crazy form of SQLi or XSS. Just as white/black box scanners can’t identify every vulnerability and neither can expert pen-testers or source code auditors.

Back to the CSO article where the point is made that we are sitting on a huge legacy of insecure code and that “we can’t rewrite history.” So, the arguement is that a web application firewall mitigates the risk – note: does not solve the problem – until the code can be replaced.

How much of the risk is mitigated is open to debate, but there are lots of other things to consider too. For instance the cost of redeveloping code against the cost of purchasing and supporting a WAF. We also need to consider the value and risk profile of the product.

Anyway, back to Larry David and his views on being invited to a dinner party:

Larry: What is this compulsion to have people over at your house and serve them food and talk to them?