The WAF Is Dead (and we know who did it)

By : TJ Gonen | Saturday, April 17 2021 - 01:05 IWST

Photo: TJ Gonen, Head of Cloud Security Products, Check Point
Photo: TJ Gonen, Head of Cloud Security Products, Check Point - The past couple of decades has turned the Web Application Firewall (WAF) into a ubiquitous piece of security kit.

Any organisation with a web application (which includes most large businesses) has a WAF installed to protect their data and assets from being breached. Best practice for securing web applications has evolved to simply deploying a WAF in front of your app.

The truth however is that today, with the modern application lifecycle empowering DevOps to release updates at a much higher frequency, the traditional WAF has not been able to keep up and maintaining a WAF has become both labour intensive and complex.

Given this challenge, what should security professionals do? What will prevent web applications from becoming the front door into an organisation’s infrastructure? Knowing that DevOps are going to keep spinning out new code, how can one figure out if their WAF is worth the maintenance or dead in the water?

Let’s take a closer look at what it would take for your WAF to keep up with the speed of DevOps.

Context is king

While network security was all about monitoring static networks which use the same protocols as one another, WAFs were designed to protect web applications that are distinctly different from one another.

Every app is unique and each piece of code is different and nuanced with its own set of vulnerabilities. Even before the introduction of cloud storage and the breakneck DevOp’s speed, WAFs were recognised as being only a “mediocre” security solution.

Inevitably, using a solution that sits in front of the app, rather than inline, means that contextual analysis is impossible. With no context to understand the content within the app that’s being interacted with, it’s impossible to automate the WAF’s evolution in parallel with the application’s evolution.

Education, education, education

Machine learning improvements only solved this conundrum to a degree. While sophisticated WAFs need “only” a month to silently sit and learn to create a baseline for the application, a month is a long time to leave an app unprotected.

It’s inevitable that humans need to step in and help calibrate the WAF, and that’s when the maintenance becomes heavy duty. If the WAF needs time to learn and create a baseline every time the content or code changes, there is a lot of heavy lifting for the administrator to carry out in order to reduce alerts and create exceptions.

Automate or disintegrate

With continuous delivery, it is just not possible for your WAF to protect a web application from logic attacks without human intervention.

The reality is that most WAFs aren’t in alert mode. It is too dangerous to allow them to over-block because the high volumes of alerts will create alert fatigue.

Perhaps an administrator can do some minor fine tuning so sensitive parts of the app are covered with blocking rules, but the rest of the app will be protected by the WAF in alert mode using pattern matching and other crude techniques.

This adds up to a security solution which can’t auto-deploy to protect from new logic attacks as the app evolves.

Go fast or go home

Native cloud computing is about agility. What took two weeks to create back in 2015 now takes mere seconds.

By leveraging new micro services, you can dramatically change your app in a few minutes. In this new environment it is absurd to consider using a standard pre-cloud application security solution that relies on learning or manual configurations.

Each time a developer tweaks code and sends it out into the wild, it’s a unilateral move made without consultation with security personnel. If you’re using a WAF that relies on the assumption that ANYTHING in your environment is generic, your WAF is defunct and it’s time to call in the undertakers.

WAF is dead, and DevOps killed it. Now’s the time to run a forensic analysis to figure out if your WAF has a pulse, or if you’re carrying a deadweight. Here are a few questions you should ask:

Is your WAF designed for the cloud?

Can your WAF determine legitimate traffic users versus malicious?

Can your WAF decipher BOTS and other OWASP attack vectors from legitimate inquiries?

News Comment

Today's Industry

"CLEO", PT Sariguna Primatirta Tbk (Tanobel Group)

Sabtu, 23 September 2023 - 11:33 WIB

Growing Above Industrial Average, CLEO Strives for Innovation

Producer of bottled drinking water with the brand "CLEO", PT Sariguna Primatirta Tbk (Tanobel Group) targets its sales in 2023 to grow above the average of the bottled drinking water (AMDK)…

PT Inocycle Technology Group Tbk ("INOV")

Kamis, 14 September 2023 - 15:15 WIB

INOV Poised to Absorb PET Recycling Market Potential

The prospects of PT Inocycle Technology Group Tbk ("INOV") a public company in the field of recycling plastic (PET) bottle waste into Recycled Polyester Staple Fiber (Re-PSF), looks bright for…

Participants of the 43rd ASEAN Summit enjoy the gala dinner at Hutan Kota GBK in Jakarta, Wednesday (09/06). (Photo by: BPMI of Presidential Secretariat)

Senin, 11 September 2023 - 09:07 WIB

Indonesian Cuisine, Cultural Performances Enliven Gala Dinner of 43rd ASEAN Summit

President Joko “Jokowi” Widodo and First Lady Iriana Jokowi hosted a gala dinner for leaders of ASEAN member states, partners, and international organizations at Hutan Kota restaurant in…

President Jokowi and Secretary-General of the United Nations António Guterres, Jakarta, Thursday (09/07). (Photo by: BPMI).

Senin, 11 September 2023 - 07:45 WIB

ASEAN, UN to Enhance Cooperation in Maintaining Regional Peace

On the margin of the 43rd ASEAN Summit, President Joko “Jokowi” Widodo Thursday (09/07) hosted Secretary-General of the United Nations António Guterres in a bilateral meeting at the Kakatua…

President Jokowi shakes hands with PM of Japan Fumio Kishida at JCC in Jakarta, Thursday (09/07). (Photo by: BPMI of Presidential Secretariat)

Senin, 11 September 2023 - 06:40 WIB

Indonesia, Japan Agree to Raise Partnership Status to Comprehensive Strategic

Indonesia and Japan have agreed to raise the partnership status of the two countries to strategic comprehensive, President Joko “Jokowi” Widodo has said.