For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

The Unpossible Task of Eliminating Risk

An ant named Archimedes is in a hole 6' deep. He climbs half the distance to the top every hour. How long does it take for him to escape the hole? Trick question. He can never, mathematically, es...
Published Aug 11, 2008
Version 1.0
acceleration
application delivery
application security
efficiency
firewall
http
internet
performance
security
us
Lori_MacVittie's avatar
Lori_MacVittie
Icon for Employee rankEmployee
Aug 11, 2008
Hey Mike, can't resist back! :-)

 

 

I'm not convinced that all these tasks should be done one place or another. Should is a moral imperative, after all, and there's no law that says all these things must be done in the application or in the network.

 

 

From reading the web app sec list most applications can easily be bypassed. ;-) Neither is a panacea. Even if developers were addressing these vulnerabilities there'd still be compelling arguments for deploying a WAF. A WAF offloads the task of data scrubbing, input validation, anti-XSS, etc... from the application. We offload a lot of security functions - like SSL - and no one cries "that should be done on the web server". Why is that? Because over time we've come to accept that in many ways centralizing SSL and offloading it from the server provide additional benefits that are realized such as improved performance, easier management, reduced costs, and a simpler architecture.

 

 

Offloading some security tasks in terms of web application security to a WAF is not putting a band-aid on poison ivy, it's simply getting a shot of instead of a pill to solve the problem.

 

 

Contextual-based security (i.e. vulnerabilities in logic) are currently only addressed well by the application, true, but data-based security can easily be addressed by either the app, a WAF, or both.

 

 

Lori