In my previous column I touched on the point of implementing Web Application Firewalls (WAFs) as part of a measure to prevent clickjacking. I thought I would expand on the benefits of WAFs, and why they can make all the difference between a safe organization and one that’s been compromised. Many IT managers and CIOs still grapple with WAFs because they are expensive and a bear to maintain. They’re sometimes deemed unnecessary if other security practices such as proper secure software development and code review are present. If you’re running on a limited budget or resource pool, you may have moved WAFs into the “want to have” bucket out of the “need to have.” I suggest you take another look, and here are three reasons why.
Protection Against Zero-day Exploits
WAFs are an important piece of layered security architecture to prevent a Zero-day exploit. You might remember last summer when a Zero-day exploit was discovered for TimThumb, a popular image resizing module for Wordpress. TimThumb is included in numerous Wordpress plugins and themes. The remote file vulnerability included in this instance was the result of flawed programming logic that essentially allowed anyone to upload any file and execute it in the TimThumb cache directory. This led to countless compromised Wordpress installations. The lesson here: you’re not always in control of the software you’re using, and therefore, not in control of its security. If a Zero-day exploit is dropped, you are now at the mercy of that software developer to come up with an official patch, or you have to remove the functionality all together. If you’ve deployed a WAF, you can virtually patch the vulnerability and protect your infrastructure until the vendor has released a patch, or until you can properly patch the code yourself.
Automated Temporary Patches
You’re likely (hopefully) running vulnerability scans quite often. Depending on the nature of your business and your available resources, you may be running scans once a quarter or several times a month. So what happens when you discover a vulnerability in your Web application? Some organizations have the manpower to patch or otherwise address the risk immediately. Others simply can’t do that for a host of reasons including lack of technology staff that are experienced with certain vulnerabilities. If your company falls into the latter group, then your organization is at risk as long as that vulnerability is present. Some WAFs have the ability to import your scan findings, and automatically virtually patch your application for immediate protection. This temporary patch isn’t a fail-safe, but it’s enough to mitigate risk until you’re prepared to address it with something more permanent.
Stops Data Leakage
Hackers have quite a few ways to export data, and unless you know you’ve been compromised, detecting that exfiltration can be tricky. Data leakage can be caused by something as insignificant as a verbose error message presented to a public application user. If your application is harboring source code, credit card numbers, health information or other critical data, then a simple leak can turn into a catastrophe. In this instance, a WAF would be like an x-ray machine -- scanning everything that is returned as a response to your Web application users. If the WAF finds something it doesn’t like, then it’s flagged and stopped from leaving your network. Most WAF vendors write high-level behavioral signatures looking for credit card numbers and social security numbers. You can also write additional signatures looking for anything you don’t want to leave your network. Examples may include vital record information, source code, and certain files names.
These are just three examples, but there are numerous reasons to consider bringing Web Application Firewalls into your security program. I urge you to do your research. If you can find a way to deploy these firewalls it can be well worth the cost, even if you think your organization isn’t a terribly high risk.