back to article Now it's the security industry's turn to be burned by cloud

Amazon has launched web application firewall to help customers guard against common web exploits. The web attic touts the service as a means to ink custom rules to block attack patterns like SQL injection and cross-site scripting and offering the ability to quickly deploy application rules. Rules can be set based on IP …

  1. HxBro

    Why pay

    Mod Security or naxsi can be installed for free, a little monitoring at the beginning to tweak the rules and you can get this for free, no cost per hit, no cost per rule. Considering there are hundreds if not thousands of rules you could possibly run, paying for them does not make financial sense.

    Amazon should provide a core set of rules for free, then any additional rules chargeable

    1. PrivateCitizen

      Re: Why pay

      I've always thought WAFs were little more than a nice front end for Mod Security and it seems that Amazon have just come up with a way to monetise it while simultaneously undercutting most WAF providers.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why pay

      It's just another offering to appease the higher-ups in big companies, who wouldn't even look at anything other than F5 and similar products. If you read the policies in some big player companies, they mandate the use of web application firewalls (among many other requirements). This is just another box to be ticked, and the price tag wouldn't be an issue, because this is meant to "replace" rather pricey kit to begin with.

      With netflow being introduced not too long ago @AWS, I think the next tool they come up with might be per-VPC Intrusion Detection as a Service... (Again, big players wouldn't normally consider open source options like Snort for this, either)

  2. Anonymous Coward
    Anonymous Coward

    I heard that perhaps maybe some companies mentioned in the article or comments offer WafAAS now as well, so it's easier than ever to get a proper WAF. You can even front your cloud app with it. I have also heard from reputable sources that there's a lot more to a WAF than meets the eye, though I can see how on first glance it may seem like mod_security would cover it.

    By the way, I don't mean this as an counter-argument or suggestion that small companies should not use mod_security, but for Fortune 500 companies they probably want something that is a little more industrial strength and not as well known by attackers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like