Typical.
Via Matt Franz, I came across a Response to WAF/IDS/IPS Effectiveness Report. I found this a little odd, since NTOBJECTives seems to have produced the report to which they then respond. (I may totally misunderstand what’s going on here.) (EDIT: I did totally misunderstand; see the comments below. The report writer is not associated with NTOBJECTives at all. Apologies!)
Regardless, it made a point or two I found worth noting about bang for your buck[1] for WAF and IDS/IPS configuration:
An organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications.
The post seems to imply that they consider this a bit on the high end, and that organizations do as well:
This is significantly more time spent than the average organization spends on their production WAF installations.
I find this really problematic: not the accuracy of the statement, as I don’t have any data that contradict it. However, I have to ask whether organizations find this all that high, considering the protection you’re getting and the time invested in configuring other technologies. If you bring in a consultant to set it up, and she charges $250/hour, that comes to something on the order of $1000 per application. Having recently looked at WAF prices, I’d say that that’s really tinkering on the margins of the project cost. And anyone who’s ever managed an IDS or IPS installation knows that those technologies require far more time to configure and manage (tune) effectively.
In any case, I suspect that a really effective WAF would require more attention than that, particularly in agile shops. 2-3 hours per application per week sounds more realistic to me, meaning that most organizations will need a dedicated application security person just for the WAF, or else find a way to embed the responsibility in development organizations under the oversight of an appsec specialist (to avoid “allow all” situations).
[1]: I refuse to get into the “security ROI” debate in this post.
A couple small points of clarification.
1) NT OBJECTives did not produce the report. It was done by Larry Suto who does not and has never worked for NTO. As I understand it, he did the tests with cooperation from the various WAF/IPS vendors and we gave him use of our products for his testing.
2) My point about the 3.5 hours were the numbers from the report, which was just about getting it installed and running to protect the small test sites he used. I think your correct about the ongoing maintenance is also to be factored in.
I do think WAF’s and IPS’s are great pieces of the security puzzle, but do hope users are not jumping into purchases with rose colored glasses.
Pingback: Surviving the Week – 11/18/2011 | Man Vs WebApp
Thanks, Dan. I drew the conclusion because of where I found the report was hosted; can you elaborate on any relationship other than employer-employee with NT OBJECTives and Larry?
Hi Kyle,
I understand the confusion. The report was actually on slideshare, but I had a PDF version I had received which I tossed on my site. I should have just linked to his slideshare for less confusion.
As far as the relationship with Larry, at one point he was evaluating our scanner for his consulting work, and he may have purchased NTOSpider (I’m not sure). I’ve gotten to know him a little more over the last 2 yrs and think hes a good guy and very smart. I’m always impressed that he think its worth the arrows to publish data about the products he looks at for the benefit of pushing security products forward.
The only “compensation” hes ever gotten from me, is maybe a drink or two when I’ve seen him at the last couple RSA or Blackhat conferences.
Ah, I gotcha. Thanks very much for correcting me on this.
I’ve updated the post accordingly.