Unluckily, the only time I was able to make it down to SF Bsides was for the Great PCI Debate, part 2. Luckily, all the rest of the presentations that went on there are available via Ustream. Of course, I still say the Great PCI debate was the most important presentation, partly because it contains guest spot by me (and several examples of me yelling from the sidelines). There was a momentary glitch where the video stream was lost for a minute or two, which is why it’s in two separate parts. In any case, watch my friends, Jack Daniel, Josh Corman, Andy Ellis, Michele Klinger and Anton Chuvakin discuss compliance in general, not just PCI.
I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance. I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative. Or more accurately, it appears to be doing something new and innovative; it’s still in beta and this is a technology that’s outside my comfort zone. If you’re someone with an expertise in WAF’s, it should be worth at least a short look.
In a lot of ways, Mykonos appears to be a standard WAF; it can be used to protect your site from many of the standard coding errors that a WAF is designed to deal with. It addresses the OWASP Top 10, it has all the reporting capabilities to tell you something’s wrong; in this area it doesn’t appear to have a lot of extra punch you can’t get elsewhere. The place it does start to have some distinguishing capabilities is in the tracking, categorizing and response to malicious attacks on your web site.
You want to know more about who’s probing your web site? Mykonos will dynamically modify the code your site is serving to get you more information on who’s attacking. It’ll tell you about the level of sophistication of the attacker, whether they’re just trying to manipulate a price in the shopping cart, if they’re trying a SQL injection attack or if they’re working on something at the higher end of the attack scale. And it gives you a lot of choices about how you want to respond; simply block the user, send custom code telling them they’ve been identified and logged or act as a honeypot to get even more information about the attacker and how he’s planning on attacking your site. The tracking and information gathering abilities seem to be pretty impressive and it may be worth looking at for that alone.
Mykonos looks like more than a plain vanilla web application firewall and the downside to that is it requires more work from the administrator and more work from your developers to make full use of it’s capabilities. This also means it’s potential for becoming shelfware is much greater as well. But if you’re looking for more than what a standard WAF offers, it might be worth looking at this product. And once you do, I’d appreciate feedback on your impression of the product. Is Mykonos a potential new product market, a single product with greater capabilities or just a flash in the pan that won’t amount to much?