Web security - WAFs, Secure Code and Third Party Components

Some further interesting discussion on the subject of web application firewalls here. Regular readers of this blog (hello mum) will recall that this is a subject I’ve raised a couple of times in the past (for instance see entries of 08/07/08 and 18/06/08).

In his blog, Rich Mogull says

If you don’t have the resources for both (web application firewall and secure coding), I suggest two options. First,

if you are really on the low end of resources, use hosted applications

and standard platforms as much as possible to limit your custom coding.

Then, make sure you have kick ass backups. Finally, absolutely minimize

the kinds of information and transaction you expose to the risk of web

attacks- drop those ad banners, minimize collecting private

information, and validate transactions on the back end as much as


I think that’s great advice and wish more development teams that I encounter would take some note of. Personally I still think it’s more or less impossible to write completely secure code. Recent projects that I’ve reviewed have done absolutely nothing to sway that belief. What I am seeing more of is a worrying arrogance in development teams who seem to think that their code will be immune from attack.

Another weak spot I’m seeing more of is in the implementation of third party products: there’s more of them being used and I’m not seeing any due dilience performed before they become part of a production infrastructure and I’m also not seeing much in the way of support plans in place for keeping those components patched and updated.

Since the beginning of this decade around 14% of reported data breach incidents (169 out of 1148 according to the statistics reported in the OSF Data Loss Database) have been the result of website attacks. While statistics only tell us what has happened in the past, I think it’s indicative enough that website security is likely to continue to be an issue.