In my previous column I touched on the point of implementing Web Application Firewalls (WAFs) as part of a measure to prevent clickjacking. I thought I would expand on the benefits of WAFs, and why they can make all the difference between a safe organization and one that’s been compromised. Many IT managers and CIOs still grapple with WAFs because they are expensive and a bear to maintain. They’re sometimes deemed unnecessary if other security practices such as proper secure software development and code review are present. If you’re running on a limited budget or resource pool, you may have moved WAFs into the “want to have” bucket out of the “need to have.” I suggest you take another look, and here are three reasons why.
Protection Against Zero-day Exploits
Automated Temporary Patches
You’re likely (hopefully) running vulnerability scans quite often. Depending on the nature of your business and your available resources, you may be running scans once a quarter or several times a month. So what happens when you discover a vulnerability in your Web application? Some organizations have the manpower to patch or otherwise address the risk immediately. Others simply can’t do that for a host of reasons including lack of technology staff that are experienced with certain vulnerabilities. If your company falls into the latter group, then your organization is at risk as long as that vulnerability is present. Some WAFs have the ability to import your scan findings, and automatically virtually patch your application for immediate protection. This temporary patch isn’t a fail-safe, but it’s enough to mitigate risk until you’re prepared to address it with something more permanent.
Stops Data Leakage
Hackers have quite a few ways to export data, and unless you know you’ve been compromised, detecting that exfiltration can be tricky. Data leakage can be caused by something as insignificant as a verbose error message presented to a public application user. If your application is harboring source code, credit card numbers, health information or other critical data, then a simple leak can turn into a catastrophe. In this instance, a WAF would be like an x-ray machine — scanning everything that is returned as a response to your Web application users. If the WAF finds something it doesn’t like, then it’s flagged and stopped from leaving your network. Most WAF vendors write high-level behavioral signatures looking for credit card numbers and social security numbers. You can also write additional signatures looking for anything you don’t want to leave your network. Examples may include vital record information, source code, and certain files names.
These are just three examples, but there are numerous reasons to consider bringing Web Application Firewalls into your security program. I urge you to do your research. If you can find a way to deploy these firewalls it can be well worth the cost, even if you think your organization isn’t a terribly high risk.