One of Dre's reasons (#7 to be exact) to wait on Web Application Firewalls (WAFs) involves the use of WAFs at notable sites that have been breached.

Dre says:

7. Every organization that has installed a blocking WAF has also been in the media for known, active XSS and/or SQL injection

I'm assuming that what Dre really meant with this one was that every organization in the media known for being breached has also had a blocking WAF deployed, not that every organization with a blocking WAF has been breached. If I'm wrong on that assumption then someone needs to provide some compelling proof. While there have been hundreds of organizations highlighted in the media as having experienced a breach, the number doesn't match the number of customers of WAF vendors like F5 and its competitors.

I am not going to argue against the assertion (with the caveat of my aforementioned assumption), as I have no way to know for sure whether organizations highlighted in the media for having suffered a breach were running a blocking WAF or not. I'll even assume it's true. What I am going to rail against is the fact that the statistically insignificant percentage of sites protected by a WAF that are breached are the only ones you hear about.

The fact that thousands of sites running WAFs were, in fact, protected against breaches is never mentioned. The fact that just last night, attacks were launched against WAF protected sites and stopped - by the WAF - will never make headlines anywhere.

Really, can you imagine opening your inbox every day to find a press release like this:

F5 Networks Successfully Protected Sites Last Night

BIG-IP Application Security Manager Continues to Thwart Attackers Across the Globe

SEATTLE, Last Night - F5 Networks, Inc. (NASDAQ: FFIV), the global leader in Application Delivery Networking, today announced that its web application firewall, Application Security Manager, in conjunction with its BIG-IP Local Traffic Manager application delivery controller, successfully thwarted thousands of attacks against its customers' web sites. No sensitive data was lost, nor were sites protected by the F5 BIG-IP Application Security Manager defaced.

Additionally, BIG-IP customers reported continued availability of their mission critical applications due to the advanced features of the BIG-IP application delivery controller, preventing the potential loss of productivity and revenue due to unexpected downtime throughout the night.

"Users are happy, management is happy," Administrator Bob reported. "I slept the entire night even though I was on call. What more can I say? I'm a happy customer."

Really, that's just not that interesting, is it? No one wants to see a press release like this - no matter how true it may be - in their inbox every day.

No one is going to jump on that story because it's not sensational or full of fear. It can't be used to encourage prospective customers to buy products, nor does it elevate a relatively unknown blogger or journalist into the spotlight for having "broken" the news that a site was defaced, data was stolen, or an outage caused. It just isn't, what is known in the vernacular, as news-worthy. 

So while Dre's assertion that sites protected by a WAF were, in fact, breached may be true, it doesn't tell the entire story; the one where thousands of other sites were protected, perhaps from those same attacks. It also fails to take into consideration that WAF effectiveness is dependent upon configuration, and there's no evidence that the WAFs involved in breaches were correctly configured or updated. We only know (allegedly) that they were deployed and ostensibly protecting the affected sites. Like any tool, if it's not used appropriately, it isn't going to be as effective.

Regardless, the fact remains that the number of sites breached while (allegedly) protected by a WAF is statistically insignificant. Those same sites very well may have undergone penetration testing, and vulnerability assessments but we wouldn't discount those services because they were later breached, would we? The sites that are breached only make the headlines because it's sensationalistic and can be used to induce panic attacks at the C-level in every organization across the globe, because it can help sell other security services, like outsourced security code reviews, vulnerability assessments, and penetration testing. Using it as an excuse to not deploy a WAF is ignoring reality: WAFs do, in fact, protect sites from attack and do so every day around the world.

You just aren't going to hear about it because it's not news when a product works the way it should.

Imbibing: Mountain Dew