Buyer's Handbook:

Use a web app firewall to halt app attacks



Stop app attacks with a web application firewall

Web application firewalls are more essential than ever when it comes to halting app attacks. Learn what features and functions you should look for when choosing a new WAF.

Buying the best web application firewall has never been more critical. Web app attacks are constant now, with attackers...

seeking unauthorized access to sensitive data, such as credit card numbers and customer records, so they can use this information to commit identity theft, financial fraud and other crimes. Because so much of this sensitive data is in back-end databases accessible through web applications, attackers frequently target these applications to gain access to their associated data.

Web application firewalls, or WAFs, were created to prevent these app attacks from compromising web servers and the databases behind them, thus preventing data breaches. Although any web application that an organization might run could be protected by a WAF, the best web application firewall return on investment comes through protecting applications developed by third parties for which the organization has no source-code access. The organization cannot directly address vulnerabilities in these applications; there is no feasible way an organization can do so on its own, other than asking the vendor for changes and hoping for an updated version. This leaves a short-term need, and sometimes a long-term need, to intervene and put the web application behind a layer that compensates for the application's vulnerabilities.

WAFs are often mandated by policy, regulation or another set of requirements. For example, requirement 6.6 in PCI DSS version 3.2 requires the use of either "application vulnerability security assessment tools" or a WAF to protect public-facing web applications from app attacks. Given the limitations of security assessment tools, particularly when source code is not available, coupled with staffing demands if an organization chooses to perform assessments and analyze their results, many organizations choose WAFs over security assessment tools to meet PCI DSS requirements.

How a WAF works

A WAF can be deployed in several ways, including a hardware appliance, virtual appliance or cloud-based service in front of web servers; or it can be deployed as a server-based add-on run directly on each web server. Regardless of its form, the WAF intercepts Hypertext Transfer Protocol (HTTP) requests, ensuring they are benign before the web servers process them. The WAF analyzes each HTTP request and, as appropriate, each web server-generated response, for dozens of types of known web app attacks, such as session hijacking, path traversal, buffer overflows, denial of service, cross-site scripting (XSS), and Structured Query Language (SQL) injection. If the WAF detects an attack, it can block the corresponding requests or responses from reaching their recipient, thus preventing the attack from succeeding.

Best web application firewall features

Like any other security technology, different WAFs may have significant differences in their capabilities. Obviously it is important for the WAF to detect the web application attacks it has been deployed to prevent. Web application attacks are increasingly customized to target particular individuals and to make it harder for basic security technologies to identify them. To help stop these attacks, buyers should look for WAFs that can detect brand new attacks, including attacks against zero-day web application vulnerabilities that were previously unknown.

At the same time, it is important for buyers in search of the best web application firewall to look for WAFs that avoid generating excessive false positives. A false positive occurs when benign activity is accidentally categorized as being malicious and therefore inadvertently blocked, disrupting operations. A WAF should implement measures that minimize false positives, or the barrage of bogus alarms may cause so many problems that a WAF ends up being shut off or bypassed, allowing threats to succeed in causing breaches.

Another WAF capability to look for is the use of high-quality threat intelligence. Threat intelligence feeds, also known as reputation services, contain information on IP addresses, domains, and other characteristics of network communications that have recently been associated with malicious activity. WAFs and other enterprise security controls can use this information to identify potentially malicious points of origin before attacks are even issued. At a minimum, a WAF should use a reputable threat intelligence feed that is frequently refreshed.

In addition to threat intelligence feeds, a WAF should also receive constant updates on the newest web application vulnerabilities and attacks as determined by the WAF vendor's security experts and advanced automated techniques (e.g., machine learning). Many WAFs do not yet offer these capabilities, so they help distinguish the most advanced WAFs from all others.

Another handy feature that WAF products offer is integration with application security assessment tools. When a WAF is used in combination with security assessment tools, the WAF can automatically create custom policies based on the results of the tools' scans of the web applications. In other words, the tools identify vulnerabilities and the WAF policies look for and stop exploitation of these vulnerabilities. While this integration feature is not necessary, it should help improve the accuracy of detection and reduce staff workload by automating what would otherwise be a largely manual policy configuration process.

WAF automation capabilities can be helpful in other ways as well. WAFs increasingly offer robust application programming interfaces (APIs). These APIs allow organizations to go beyond the functionality available through the WAF's standard management interface. For example, an organization could use the API to automatically revise a particular WAF rule and alert technical staff when a pattern of abnormal activity is detected. Another example is to use the API to monitor the WAF and trigger another enterprise security control to respond when a certain type of attack occurs.

The bottom line

WAFs are highly useful tools for protecting web applications from a wide variety of app attacks. Although WAFs are most helpful for applications where source code is not available, other applications benefit because WAFs can provide protection during the period between the discovery of a vulnerability and the release of updated source code. Organizations with sensitive data available through web applications should definitely use WAF products or services as an important line of defense against data breaches. Organizations evaluating WAFs to find the best web application firewall for their situation should be on the lookout for emerging features, such as the use of high-quality threat intelligence feeds, constant updates on the newest vulnerabilities and attacks, and advanced automation capabilities in order to improve the accuracy of WAF detection.

Next Steps

Learn where WAFs fit in an overall on-premises approach to stopping attacks.

WAFs only go so far; why education is also a key to stopping app attacks.

Get up to date on what firewalls can do now.

This was last published in January 2017

Dig Deeper on Network security