Jeremiah Grossman posted an entry on his blog yesterday about why most WAF’s are not currently implemented in blocking mode. To steal from Jeremiah who borrows from Dan Geer,
“When you know nothing, permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then.”
I think both Jeremiah and Dr. Dan are right on with their analysis. In fact, I would take this a step further and say this is ultimately how developers end up deciding whether to use a black list or white list approach when doing things like input validation. If you cannot fully document and articulate EVERYTHING about your site(s), it becomes impossible to create a valid whitelist. While knowing and understanding the majority of your site allows you to create a fairly effective black list, and of course, if you know nothing about your site you must allow all and pray.
To read a much more in-depth explanation of how this plays out in security, check out Dr. Dan Geer’s book. He delves into one of this blog’s favorite topics, the economics of information security and the trade-offs associated with it. Happy Reading!
