Application Security? But I Have a WAF!>
Veracode Blog – Tim Jarrett
A WAF tries to use known attack patterns to protect an application. It can be tuned via writing rules, but attackers are coming up with new patterns all the time. In fact, creating WAF bypasses is something of a cottage industry for security researchers, to the point that you can download cheat sheets for creating WAF bypasses from security researchers like @Pentestit_ru and @themiddleblue, the editor-in-chief from 1337pwn, or the well-known OWASP foundation. Missed attack due to application changes Missed attack due to configuration complexity As Veracode Community member, Glico Man, said in a recent comment, âWAF is a âsafety netâ and may provide âvirtual patchingâ until the application code is fixed⦠A well-configured WAF will provide more time for a developer to fix their code.â
Link: https://www.veracode.com/application-security-i-have-waf