Software 65¢

Unfortunately, over the course of my career I’ve always performed security via checkbox. That is to say these are the organisational, institutional or prior art of how security is managed (typically a fairly static service, internal service, cloud-run service, or predefined service with low attack vector).

I’ve always wondered (superficially) where these standards get set (in the few circumstances for low value targets I’ve relied on the direct advice of OWASP.

Today I came across much more pragmatic advice from Mac Chaffee discussing not just the intention scale and evolution of the WAF but also its technical costs. Security, in my view, is about injecting the “correct” level of friction given a clear determination of the risks of the service being managed so I invite you to consider Mac Chaffee’s view of Web Application Firewalls.

— LostLetterbox