Web App Firewalls: How to Evaluate, Buy, Implement

10.06.2009

Drucken |  Versand |  PDF

Here are the attributes that a WAF should have, according to a list provided by Ofer Shezaf, founder of research and consulting firm Xiom:

* Have intimate understanding of HTTP. WAFs need to fully parse and analyze HTTP to be effective.

* Provide a positive security model. A positive security policy allows only traffic known to be valid to pass through. Sometimes called "whitelisting," this provides an external input validation shield over the application.

* Application-layer rules. Because of the high maintenance cost, a positive security model should be augmented by a signature-based system. But since Web applications are custom-coded, traditional signatures targeting known vulnerabilities are not effective. WAF rules should be generic and detect any variant of an attack, such as SQL injection.

* Session-based protection: One of the biggest downsides of HTTP is the lack of a built-in reliable session mechanism. A WAF must complement the application session management and protect it from session-based and over-time attacks.

zurueck
Seite: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
weiter
Newsletter von CIO.de
Exklusiv
Exklusiv Blackberry
Wirtschaftsmeldungen
Karriere
Security
Dynamic IT
Healthcare IT
Whitepaper
IT-Berater
Retail-IT
Finance-Forum
SAP

UMFRAGE
Kommt der Verkaufsstart über Online-Shops mit einem Basissortiment von 2500 Artikeln für den Media Markt noch rechtzeitig?
Ja, der starke Markenname wird den Erfolg bringen.
Ja, aber nur wenn das gesamte Sortiment angeboten wird.
Nein, der Zug ist gegenüber der Konkurrenz abgefahren.
Ich bin unentschieden.
» Abstimmen

SERVICE
newsletter » Newsletter xml » RSS-Feed
iGoogle » iGoogle newsletter » News-Feed