6 comments

[ 3.0 ms ] story [ 32.2 ms ] thread
(comment deleted)
Unless you're hosting array of common apps (like wordpress), WAF is waste of time of everyone involved and the time would be better spent actually auditing the application you wrote rather than fighting with false positives.

The industry sold the idea to the gullible that they can make a bunch of arbitrary pattern matching rules that just make any app more secure

AWS forces an explicit default choice—Allow or Block. Azure defaults to passive "Detection," requiring a manual switch to "Prevention." An AWS engineer, used to making this conscious decision, might miss that Azure requires a separate, critical step to actually turn protection on.
Reading this, I cannot help but think about the LLM writing tropes that made the front page yesterday.

I have a feeling my brain chemistry has been permanently altered and I will forever be distracted by subconsciously rating the “LLM-ness” of everything I read.

https://news.ycombinator.com/item?id=47291513

The problem here is a real one: A lot of people in charge of implementing WAF don't understand what it's all about.

That said, this article is describing something that you quickly learn studying the WAF offerings on a cloud provider on day 1. For such a complex topic, this is surprisingly remedial to show up here.

All that said: there's a lot of dumb shit that ends up being configured in the cloud, and articles like this are good reminders for people to check for dumb shit.

Another AI-slop, with 0 value