10.06.2009
. WAFs protecting applications in real time (rather than fixing them) has ignited criticism in the past. Some vendors are wary of the term "WAF," preferring instead "application awareness" or "application-layer intelligence," Kelley says. Today, however, a growing consensus seems to be that, implemented correctly, WAFs can serve as an important part of a layered security model, as they provide protection while you repair application vulnerabilities.
As Jeremiah Grossman, founder of WhiteHat Security, , there are far too many vulnerabilities to keep up with remediating them in the code itself. He advocates that vulnerabilities found through an assessment be imported as customized rules into a WAF, providing an option to mitigate now and remediate the source of the problem later.
Gartner, on the other hand, advises customers to consider techniques for removing application vulnerabilities. "Before you spend your first dollar, consider whether you're in a position to remove vulnerabilities through a stronger system development lifecycle and by using tools such as source-code scanners," Young says. WAFs are useful for applications that are difficult or impossible to change, or those that are very dynamic, he says.
For most companies, "it's sufficient to choose one or the other approach," he says, although there is a small percentage of companies whose risk tolerance is so low that they'll want to use both.
» Android » Blackberry » Cloud Computing » iPad » iPhone
» Linkedin » Office 365 » Projektmanagement
» Rolle des CIO » SaaS » Scrum » SWOT-Analyse
Newsletter von CIO.de
