The Internet, a wonderful invention indeed, has made it much easier for people to communicate and share information. For businesses, one of the primary benefits of the Internet are the inventions of the search engine and the website. Rather than using billboards, cold calls, and other means to advertise their services, businesses today create a good ol’ website that describes all of their products and services that customers can easily find using a search engine.
As we all know, this website can also be interactive, with a web application that uses a direct connection to the company’s back-end databases to provide a customized experience to the user. This connection is a huge benefit to the organization, but also represents a major security hole.
A web application firewall (WAF) is an essential cybersecurity solution for any organization using web applications. By providing defenses against common attack vectors, it ensures that a flaw in the web application code doesn’t equal an expensive data breach for the company. However, not all web applications are created equal. There is a significant gap between the common WAFs and the top of the line ones. Choosing the right one may mean the difference between an attack being caught or let through (as many WAF customers have learned the hard way).
Why You Need a WAF – Web application firewall?
Web applications have become one of the primary ways that organizations interact with their customers. Instead of operating a storefront and forcing customers to come to you, a web application allows them to create an account, manage their relationship with you, and order products and services from their keyboard. The web application provides a convenient replacement for a variety of advertising and customer service solutions and makes it easy for the modern consumer to make informed decisions and manage their accounts.
As the public face of the company on the Internet, a good web application has significant value to the organization. The best web applications provide easy access to company data for the consumers, which is both a major asset and a major threat to the company. An attacker with unauthorized access to a web application can use this direct connection between the database and the web browser to exfiltrate sensitive information for abuse or sale on the black market.
Web applications are software, and software almost invariably has bugs. The big question is whether or not those bugs are enough to allow an attacker to break into the company’s systems. A web application firewall (WAF) is designed to make this question irrelevant. A WAF stands between your web application and any attackers, detecting and blocking any attempt to find and exploit a vulnerability. While secure design and development is always a good idea, deploying a strong WAF helps to ensure that a mistake doesn’t mean a data breach.
Just Good Isn’t Good Enough
Recently, the Ponemon Institute released the results of a survey of WAF owners on how satisfied they were with their WAF. The results weren’t promising. In fact, only 40% of respondents were actually happy with their WAF, and, with 65% of respondents finding that application-level attacks are bypassing their WAF, this isn’t surprising. This is caused by the fact that there is a huge gap between a “good” WAF and a “great” one.
The first issue was a lack of focus on the “right” functionality in a WAF. Most WAFs provide protection against attacks on the OWASP Top Ten Vulnerabilities, and this may be all that a “good” WAF provides. However, this is considered one of the least effective features (only 47% find it useful). The most important feature in a WAF (74% support) is DDoS protection, which should definitely be included in your WAF solution.
The other big problem is that most organization’s WAFs require a large amount of management. 43% of users only use WAFs in detective mode, meaning that incident responders need to look through and take action on all of the alerts generated by the WAF. This is where a great WAF can shine, by providing increased intelligence and automation built-into the WAF (which 72% of users want).
Choosing the Best WAF
With the increasing use of web applications as the primary means of communication between an organization and its customers, the web application needs to work and work well. The need for web application security is exacerbated by the fact that these applications often have direct access to organizations’ repositories of sensitive data, making them a prime target for attackers attempting a data breach.
Web application firewalls (WAFs) are the first line of defense when protecting these applications from hackers. However, the range of capabilities provided by WAFs can be great. Some may only provide protection against simple, known attacks like those listed on the OWASP Top Ten. Others provide comprehensive defenses to web applications, combining signature and anomaly detection to catch and prevent a wide variety of attack vectors.
As the Ponemon study demonstrates, the capabilities of a WAF have a huge impact on its effectiveness. Many users have found that their web applications are still vulnerable to attack despite deploying WAF defenses. This shows the importance of choosing a top of the line WAF to protect your online applications. These applications are the public face of an organization and have direct access to sensitive and protected data. Choosing a strong WAF to protect these resources is not just a priority but a necessary component of any organization’s cyber defense strategy.