I’ve been noticing a trend from security vendors who promise security-in-a-box solutions and Web Application Firewalls (WAFs) are being promoted as one such solution. Unfortunately, organisations are aligning to this suggestive, albeit dangerous tune.
As a result, organisations choose to filter out traffic that would exploit their known vulnerabilities on their WAFs instead of applying vendor approved updates and fixes, refactoring or rewriting vulnerable code.
Don’t give your WAF the whole responsibility!
A WAF is a piece of software capable of applying a set of rules to an HTTP conversation. These rules will then allow the organisation to make control-flow decisions on the HTTP interaction and therefore help mitigate and protect against certain common attacks on the Web (XSS, SQLi, etc).
In short, it adds an additional layer of security to a web application, which is a good thing. This is done by keeping a separate rule-set for the detection and prevention of attacks, keeping the actual application oblivious to such attempts.
“Just because you feel safe, doesn’t mean that you’re secure”
WAFs exist in many different guises, as network appliances, full-blown applications or even modules running inside of web servers. When correctly deployed, WAFs are a huge help in preventing some common attacks on organisations’ applications. Cross-site scripting, SQL-injection, brute-force attacks are on the top of the list of attacks that you would be able to prevent with the help of a correctly configured WAF.
Of course this doesn’t mean that by having a WAF you don’t have to include security-aware developers and secure coding practices, or stop applying security updates, just because you are “protected” against some of these threats. Security controls should be placed as near as possible to the asset you are trying to protect and a defence-in-depth approach is required. A WAF should therefore be one of many security measures deployed, not relied on in isolation.
“In the absence of other factors, always use the most secure options available.” – Dr. Joel Snyder
Whilst filtering against the input and output of your application might protect you against some of the OWASP-top-ten attacks, WAFs are only able to protect against a few specific and well-known attacks.
Keeping in tune with the “locking doors behind locked doors” mantra that guides the defense-in-depth approach, you should always keep increasing the overall security of your environment to maintain currency with the current threats out there. This should be done by applying security patches, fixing security bugs on software, hardening configurations and establishing and maintaining security baselines.
Security is not a recipe. Security is an on-going process and evolves over time. This process includes installing updates regardless of whether on devices (security patches), people (raising security-awareness) or processes (security reviews).
By relying on a WAF to protect you from a current known weakness and enabling you to avoid the issue of patching, will only lead to more headaches further down the line.
This subject is something that we will explore further in later posts.