Get started Bring yourself up to speed with our introductory content.

Why effective Web app firewalls are worth the investment

Web app firewalls offer excellent protection against threats and attacks, but security expert Dan Cornell says investment is required to get results.

How much work will a Web application firewall do? How much attention does it need to keep it in sync with applications that are continuously improving?

Rather than asking how much work your Web application firewall can do for you, start by asking how much you want to do for your WAF. This is an important question to ask before you embark on deploying a WAF, especially one that is going to be guarding an application or applications with a fast development cycle. Web app firewalls can provide excellent protection against certain types of threats and certain types of attacks, but many organizations embark on deployments without a full understanding of the investment required to achieve the desired results.

Start by asking how much you want to do for your WAF.

Most commercial WAFs have two important capabilities: training and customization. If you are looking to deploy a WAF to detect and block application attacks, certain characteristics of your application are going to determine how effective the detection and blocking will be and how much work will be required to maintain custom protections.

For applications that are frequently changed, protection thresholds may need to be relaxed in order to avoid false blocks, as the training capabilities may fail to keep pace with an accelerated deployment schedule. In addition, complex applications or ones with unique requirements will likely require rule customization to shape how the WAF's detection and blocking algorithms view traffic sent to the application.

Added customization can make WAFs more effective in detecting and blocking, but these customizations take time and have to be maintained as applications evolve. A failure to maintain rule sets can result in degraded protection over time, as well as requests that are blocked unnecessarily.

Many organizations look at Web app firewalls as protection technologies that are deployed to detect and stop attacks before they can result in some sort of loss or compromise. This is certainly desirable, but, as previously discussed, actually achieving these results can be challenging and involve hidden or unplanned costs. An alternate way to look at a WAF deployment is to consider it a way to gain intelligence about the application's usage and attack patterns.

In intelligence-gathering deployments, blocking rules are eliminated or scaled back, and the focus is instead on gathering log data about traffic patterns, suspicious requests over time and so on. This can provide a picture of reconnaissance activities and also potentially provide forensic value in case of an incident. These types of deployments might not live up to the hype surrounding so-called magic WAFs that are deployed, instantly learn about the application and are then successful blocking all attacks, but they might be more realistic, given an organization's level of resources and commitment to ongoing investment in its WAF deployment.

In the end, an organization should embark on a WAF deployment only if it has a thought-out set of goals for the deployment, other than, "Please make my auditor leave me alone." An organization also needs to have realistic expectations about the level of protection it will receive, as well as the amount of investment that will be required to achieve that protection.

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think Web app firewalls are worth the investment?
application undergoes various application testing activities and the outcome of the test is to be mitigated during a definite time frame. Once detected contacting application devloper making them understandable about the risk, devlopment of patch testing in uat then deploying in production are becoming a great time span, which requires to be mitigated in short span, that is the beuty of waf which will try to protect the vulneribilites if any exists in the system.
Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-as-a-Service solutions for business application deployments for over 1,700 enterprises