OWASP Interview with Amichai Shulman
Published March 12, 2010
- Amichai Shulman is the CTO of Imperva.
- Why are SQL injection attacks still prevailing?
- Are XSS attacks for real?
- What kind of hacking activity is there in reality?
- Organizations often have many different kind of applications, how do you account for the many different varieties of traffic?
- Some say that WAF's generate a large amount of false positives. How do operators manage this information?
- I think that insider threats and APT (Advanced Persistent Threats) are a real concern. Attackers are getting better? Do WAF's really help us from that kind of threat?
- WAF's are pretty powerful devices. Can a WAF deployment be done incorrectly so that it could actually increase risk? I would think that if an attacker could take over a WAF it could be a good jumping off point to launch other attacks from inside the network depending on how it is deployed.
- Why go commercial? There are more and more open source solutions for WAF technology.
- Can WAF's help us at the INTEGRATION tier level? i.e. Web Services, Ajax Proxies, communication to non-Web Services such as LDAP/AD, SMTP, SNMP, NTP, DNS
- We see the move towards a WAF (or other firewall) between every layer (defense in depth). Doesn't this get expensive?
- Do you have any stats on (1) Cost to fix bug before release: (2) Cost to fix bug after release vs (3) Cost to bolt-on a WAF?
- The industry has struggled to secure client to website traffic. Now that the web is moving to API to API, wrapping up chaotic distributed systems as 'the cloud' and then having data pass in promiscuous fashion between them all.... what do you think the future is for our industry?