"Set it and forget it attitude"- Web Application firewall

Web Application Firewalls (WAFs) are an excellent last line of defense. They’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to partners all the time. But is there more to the story?

Unfortunately, more security vendors deploy WAF to cover up instead of looking to fortify their coding practices which led to vulnerabilities in their web applications. WAF has also replaced good old security practices of conducting regular audit and security scan. It's "set it and forget it". This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. Reminds me of what Firewalls with Stateful Inspection Technology were 10 years ago.

WAF would not protect you against application logic flaws. What about weak passwords in your web application? Another flaw that may go unguarded.

Good security practices like security monitoring, patch management, change management, incident response processes/procedures and most importantly security awareness sessions still hold good.

Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like airbags in our automobiles, they can’t be relied on completely. To set up WAF and rely on it completely to protect your Web application is being short sighted and a recipe for getting bitten when you least expect.

The solution is to layer your web controls and look to fortify your coding practices. Web Application flaws are better fixed as the source by performing periodic scans, manual tests and review your code.

After you follow best practices for setting up Web Application, let WAF be the icing on the cake.