NAXSI is an open-source web application firewall developed by Thibault “bui” Koechlin, NBS System’s CSO, and its team. This NGINX module, used by NBS System, profoundly secures websites, particularly against attacks such as XSS and SQL injections.
In line with the open-source spirit, and for a continuous improvement of the tool, a feedback survey is available on NAXSI’s Github page. Today, discover a summary of this feedback !
What is NAXSI used for?
264 answers were received since the survey was put online, in March 2012. Among these respondents, at the moment of their answer:
- 31% were testing the tool
- 49% used NAXSI in a pre-production environment
- 20% used it in production
The size of the websites handled by the respondents is also quite variable, as mentioned in the table below:
Most of the respondents (63%) deal with websites recording less than 5000 visitors per month. For the most part (37% of the total), the websites get less than 100 visits per month.
We can though notice that 42% of respondents using NAXSI in pre-production handle websites with several hundreds visitors per day or more! NAXSI is incidentally most used, on the websites generating most traffic, for testing purposes or in a pre-production environment.
However, given the good comments left by the respondents, it is more than likely that most of the ones testing NAXSI or using it in pre-production when they answered ended up integrating it in their production environment! If this is your case, do not hesitate to let us know what tipped the scale…
NAXSI : why use it?
The survey contained a question asking the respondents about the principal reason why they used NAXSI.
Here are their answers:
- 34%: because I’m paranoid
- 29%: because confidence doesn’t exclude control!
- 20%: because I know my website has some vulnerabilities
- 17%: other
Among the respondents having chosen the option “other”, some brought precisions through comments:
- 18%: request from their company, a partner, a client…
- 16%: testing of the tool
- 16%: input of an extra security layer
- 13 %: comparison with ModSecurity
- 11%: search for tools after being attacked
Some of these answers brought up interesting points. They can indeed be grouped into some large motivations:
65% of respondents simly want to insure their security as much as possible
Indeed, as a web application fire-wall, NAXSI overlays the other protection coats already present on an infrastructure. Whether one knows if one’s website is vulnerable or not, it brings additional security allowing to insure one’s website’s security against the principal web attacks, just like a shield.
What improvements could be applied to NAXSI ?
In the interest of continuous improvement, the survey also asked NAXSI’s users to talk about potential issues, remarks or improvement points. Several of these answers were about distinctive features related to a website or to the environment on which the respondent used or tested NAXSI.
However, one plea came out: 29% of respondents requested a better documentation. True, it is not always easy to integrate a new tool! However, one must not forget that NAXSI is open-source: its creators, though invested and bringing regular improvements, also deal with other projects.
We thus count on your participation! NAXSI’s wiki is in free editing mode for everyone: do not hesitate and complete the tool’s documentation, make your contribution!
What do users think of NAXSI ?
“NAXSI is fantastic. The response time decrease is negligible if any.”
“With NAXSI the application doesn’t crash and I can sleep easier! […] It does exactly what it’s supposed to do and it does it exceedingly well.”
“I love frogs. They are so cute and gentle. Should be revered by everybody.”
“As a penetration tester, I’ve met with NAXSI many times, and most of them it resulted in a loss for me.”
“The idea behind the product is pure genius :)”
“This is way too easy to use, how can I justify my job with such a tool?”
Of course, we only mentioned here some of the comments that were written… all positive! A great victory for NAXSI and the security of the Web as a whole.