Technical Article Some services are more equal than others August 21, 2008 by Lori MacVittie 3041 article firewall http internet security services us waf web web application security 0 During the debate of WAF versus, well, just about everything, I heard an interesting thing. See, I was taking the view that the duplication of security code across all services/applications lays the groundwork for the introduction of errors, accidental omission, and the degradation of performance. I argued that a WAF addressed all these problems and was therefore a better option. The person with whom I was discussing the subject declared that security code did not necessarily need to be included in the application, it could be a service that, in the spirit of SOA, could be reused and that this addressed the problems just as well.Huh. Really? So basically it's okay to externalize security services and reuse them in order to secure applications, but it's not okay to externalize security services and reuse them in order to secure applications. Huh. Really. Apparently some services are more equal than others. Is this a web farm or animal farm? I agree that software security services, for the most part, address the problems inherent in duplicating security code across applications and services, but so does a WAF. The question really then becomes, "Does it matter where that service is deployed?" See, a web application firewall (WAF) is, essentially, a security service. It's a security service that performs its scans and evaluation of the cleanliness of requests before it reaches the application, rather than afterwards. But it's a security service, nonetheless. It validates input, scans for malicious data, checks for SQL and XSS injection, and looks for a number of other web-based application vulnerabilities. And it's a service. So rather than chew up valuable application resources with illegitimate or malicious requests, you deploy the security service in front of the application and only forward on legitimate requests. Maybe I'm missing something, but if you're okay with externalizing security into a service that's reusable and consistent in its application of vulnerability evaluations, I can't see where it matters whether that service is a hand-crafted one or living as a WAF. last modified: August 21, 2008 0 Comment(s): You must be logged in to post comments.