« PHP Security Redux | Main | Building Secure Apps in 2007 »


Andrew van der Stock

Good work, dude. Keep it up - the sooner we have some good guidance on how to use WS-* properly, the better.


anjan bacchu

Hi there,

good article.

Is there a PDF version available ? I would like to have a hardcopy.

Thank you.



I think your concept of firewalls needs some updating. There are firewall products that are application aware, and deal with the OWASP top 10 specifically input validation where the vast majority of attacks occur. Usurpation such as cross-site scripting, injection attacks, and even buffer overflows can be dealt with by certain firewall vendors. This notion of firewalls performing simply at layer three and four is outdated. A combination of secure coding practices and using application aware firewalls would be the best approach.


Someguy: the paper is on Web services, not web apps per se, so while OWASP top ten - style attacks have some relevancy, what we are really looking at is XML. The vast majority of network firewalls have little to no ability to deal with XML in the request body.

More to the point Web services need an end to end security model which network firewalls are unable to provide.

This is not to say that network firewalls don't have a role, and that Web App Firewalls and other technologies are not an important part of the security architecture, firewalls of all sorts continue to evolve and some even get more effective. It remains a confusing marketplace. The Web App Firewall Evaluation Criteria is a very helpful tool to help sort out some of the main issues


Unfortunately, many organizations try to use the firewall for things it was never designed for.

The comments to this entry are closed.