Did a comparison at client's place today, to showcase our Web Application Firewall vs Barracuda WAF 360.
Test setup: Vulnerability scanner -> Barracuda/Custom WAF -> Metasploitable in VM.
Results? We blew the competition away. In fact, it was so one-sided, I'm starting to wonder whether there was something wrong with the Barracuda or its setup (which was taken from a production site, configuration unchanged...it was configured by Barracuda tech there).
Our custom WAF - 4 issues at 100% scan. Actually it was zero, but we had to disable scanner detection (our WAF detects security scans and blocks them) to let Netsparker have a fair go at it. Then again, most script kiddies will use off the shelf software such as Netsparker, so one might argue it's fair to block them all. Denying information gathering is a basic tenet of security hardening.
There are obviously things we can do to improve the results. Firstly, to let the scan run to 100% (doh). Secondly, to use other vulnerability scanners eg Nikto. We had module dependency issue on our test laptop so had to forego a Nikto scan. Thirdly, the num of issues discovered has no bearing on how many high threat issues there are, that can actually be exploited. The free version of Netsparker does not give a full breakdown.
No comments:
Post a Comment