Web Application
Firewalls (WAFs) are an excellent last line of defense. They’re great at
blocking both automated scans and granular exploits like Cross-Site Scripting
and SQL injection. I recommend WAFs to partners all the time. But is there more
to the story?
Unfortunately,
more security vendors deploy WAF to cover up instead of looking to fortify
their coding practices which led to vulnerabilities in their web applications.
WAF has also replaced good old security practices of conducting regular audit
and security scan. It's "set it and forget it". This is especially
common with the compliance as a checkbox mode of operation that’s present in
many businesses. Reminds me of what Firewalls with Stateful Inspection
Technology were 10 years ago.
WAF would not
protect you against application logic flaws. What about weak passwords in your
web application? Another flaw that may go unguarded.
Good security
practices like security monitoring, patch management, change management,
incident response processes/procedures and most importantly security awareness
sessions still hold good.
Whether you work
for a large enterprise or a small business, just know that Web Application
Firewalls are not the end-all be-all solution for your web security problems.
They’re good at what they do. But like airbags in our automobiles, they can’t
be relied on completely. To set up WAF and rely on it completely to protect
your Web application is being short sighted and a recipe for getting bitten
when you least expect.
The solution is
to layer your web controls and look to fortify your coding practices. Web
Application flaws are better fixed as the source by performing periodic scans,
manual tests and review your code.
After you follow best practices for setting
up Web Application, let WAF be the icing on the cake.