Comment by eli
2 months ago
Is a security solution worthless if it can't stop a dedicated attacker? A lot of WAF rules are blocking probes from off-the-shelf vulnerability scanners.
2 months ago
Is a security solution worthless if it can't stop a dedicated attacker? A lot of WAF rules are blocking probes from off-the-shelf vulnerability scanners.
"It's technically better than nothing," is kind of a bizarre metric.
It's like not allowing the filesystem to use the word "virus" in a file name. Yes, it technically protects against some viruses, but it's really not very difficult to avoid while being a significant problem to a fair number of users with a legitimate use case.
It's not that it's useless. It's that it's stupid.
Do you lock your front door?
Do you brace yours with a bar?
1 reply →
It's merely security theater.
It reminds me of when airports started scanning people's shoes because an attacker had used a shoe bomb. Yes, that'll stop an attacker trying a shoe bomb again, but it disadvantages every traveller and attackers know to put explosives elsewhere.
“attacker had used a shoe bomb”
It’s even dumber than that. An attacker tried and failed to use a shoe bomb, and yet his failure has caused untold hours of useless delay for over 13 years now.
Now you have to buy your liberty with pre-check.
Most ransomware attacks are opportunistic. They scan basically the whole internet for vulnerabilities and attack from there. It's usually not a skilled attacker targeting a specific company.
Ransomware is a huge and growing problem. Very different than airline security, where attacks are extremely uncommon. If planes were constantly getting blown up, and if a majority of those attacks started with a shoe bomb, then checking everyone's shoes would seem a lot more reasonable, no?
IMHO the primary value for WAFs is for quickly blocking known vulnerabilities with specific rules to mitigate vulnerabilities while they are being properly patched. Ideally the WAF knows what software is behind it (example WordPress, Java app, ...) and can apply filters that may be relevant.
Anything else is just a fuzzy bug injector that will only stop the simplest scanners and script kiddies if you are lucky.
Every security solution can only stop a certain fraction of attacks.