Should you scan a website through a web application firewall?

Unfortunately, it is of frequent occurrence that people launch a security scan against a website or web application sitting behind a web application firewall, or some other kind of web security gateway device.  Scanning a website through a “man in the middle” device or software, will only give a false sense of security.
First and most importantly of all, one would be scanning the web farm’s perimeter network and not the website itself.  Therefore if the scope is to secure a website, this is not the right approach.  If the target website is vulnerable to a SQL injection attack, a web application firewall sitting in front of the website might block the scanner’s requests, resulting in the vulnerability not being discovered and reported.
Some might also argue that there is no need to scan a website when there is a WAF sitting in front of it.  After all, it’s from where the attacker has to go in, right?  As a rule of thumb, security is as weak as your weakest point on the network.  Apart from that, there are a number of other reasons why one still has to scan and audit his website directly, and not through its perimeter network, or nothing at all.

As we’ve seen in the past, web application firewalls can (continue reading...)