Do WAFs dream of static analyzers?

Want to visit   +114

Author: Vladimir Kochetkov

Traditional WAFs regard the applications they protect as a black box: incoming HTTP requests and outgoing HTTP requests are the only means available for attack detection. Obviously, this information is not enough for formal proof, and WAF settles for heuristic approach. Even if we intercept all requests by an application to its environment (filesystem, sockets, BD), it only improves the quality of heuritsics, though it is in no way useful for switching to formal methods. But what if we build a WAF that would treat an application as a white box? What if it could handle the application model obtained as a result of the static code analysis? What if it would be possible to decide if an HTTP request is an attack as we run application code fragments?

  • Language
  • Russian

Head of the application security assessment team. He is engaged in the development of PT Application Inspector being an expert in application security and applied cryptography. He participated in such projects as Nemerle, YAPOET, and SCADA Strangelove. His articles were published in HITB Magazine, The Hacker Magazine, and RSDN Magazine. Spoke at conferences and meetups for developers. He is also the co-organizer of Positive Development User Group, a community for developers who are interested in application security.

Vladimir Kochetkov Vladimir Kochetkov

Back to the list