What is WAF?
And why is WAF an effective security strategy for business success?
What is WAF Security?
A WAF, or web application firewall, defends the Layer 7 perimeter. In other words, a WAF is responsible for securing business-critical web applications from the OWASP Top 10, zero-day threats, known or unknown vulnerabilities, as well as an array of other application layer attacks. As organizations undergo new digital initiatives and expand the attack surface to enable business, they often find that new web applications and APIs become exposed. A WAF helps to keep these applications and the content they access secure.
Why a WAF Is Critical for Organizations
Digital innovation (DI) efforts that are driving increased use of web technologies require a fundamental change in the way that organizations conduct business using digital technology. Successful DI is more than simply deploying technology—it requires a focus on customer needs and a willingness to embrace rapid change, including rapid adoption and deployment of the technologies that help organizations meet those customer needs. Public cloud and software-as-a-Service (SaaS) solutions, for example, can help organizations accelerate businesses when properly used. Yet, as rapid adoption of these technologies increases the speed of business operations, security is sometimes sacrificed, leaving web applications at risk.
As users increasingly access business applications using unknown bring-your-own-devices (BYOD) on networks that are not controlled with VPN access, organizations must recognize that traditional perimeter security solutions are not adequate for protecting internet-facing applications. Organizations running business-critical applications require a solution that addresses the Layer 7 perimeter. A WAF is the solution that protects these applications and data.
What Types of Threats Does a WAF Prevent?
Modern web applications require a comprehensive WAF to protect important application against multiple types of threats, including the Open Web Application Security Project, or OWASP Top 10, which, “represents a broad consensus about the most critical security risks to web applications.” The OWASP Top 10 includes:
However, taking the OWASP Top 10 into consideration is just the beginning. OWASP describes the Top 10 as a list of the most pervasive risks that organizations should tolerate. Modern WAF security must go further to address threats outside the scope of the OWASP Top 10, including:
How a WAF Delivers API Protection
The days of basic web sites serving up simple HTML pages have passed. Web applications today deliver mission-critical services using APIs that provide a richer, more responsive experience by letting the client process raw data instead of just rendering simple HTML. These APIs also support the mobile applications that users need to access, thus requiring a WAF to ensure they are protected from threats. Giving the client access to that amount of data, there is the potential to increase the impact if an attacker finds a way to exploit the API if a WAF is not in place.
WAF for Compliance
Making the data that web applications rely on available to the application often comes with compliance obligations. A WAF helps organizations meet compliance standards as well. PCI DSS, for example, defines a set of security standards that organizations handling credit cards must comply with, and PCI 6.6 specifically will often come up when discussing WAF technologies.
The standard requires inspection of input to web applications that interact with card data be inspected, and offers two options: either application code reviews (which can have the impact of slowing down deployments) or deployment of a WAF between the client and the web application. In a world where organizations are expected to frequently and rapidly deploy code changes as they adopt DevOps methodologies, a robust WAF will often be a better solution for meeting this type of compliance requirement.
Advanced WAF Capabilities
Organizations must also protect data from modern threats, all while minimizing any friction to the end user experience. Frustrating user experiences include being blocked based on false positives, or navigating excessive CAPTCHA prompts to prove user authentication. The following advanced WAF capabilities can ensure an optimal user experience:
Machine learning
Traditional application learning techniques require manual tuning and are prone to false positives. Tuning applications every time there is a change and remediating false positives drives up administrative overhead for teams that may already be overburdened. Machine learning with a WAF can change the game by automatically modeling real web application behavior. By updating that model automatically as the web application evolves, security teams spend less time manual tuning the WAF and creating exceptions based on false positives.
Advanced reporting
Simply blocking a site or application is not enough—organizations need full visibility into event details that a WAF can provide. Attack logs should include the critical information SOC analysts need, such as the HTTP body info and clear indications on why a request was blocked.
APIs for Orchestration With a WAF
In addition to protecting the internet-facing APIs of business applications, an advanced WAF solution must provide its own APIs for managing the WAF itself.
Choosing the right WAF
|
AWS WAF with FortiWeb WAF Rules |
FortiWeb Cloud WAF as a Service |
Backed by Fortiguard Labs threat intelligence |
x |
x |
OWASP Top 10 protection |
x |
x |
Delivered on AWS infrastructure |
x |
x |
API WAF management |
x |
x |
Bot mitigation |
x |
x |
DDoS protection |
x |
x |
Optional FortiSandbox integration |
|
x |
File protection |
|
x |
Information leak prevention |
|
x |
Cross site request forgery (CSRF) protection |
|
x |
Content delivery network (CDN) included |
|
x |
Web socket security |
|
x |
Attack log export to external SIEM |
|
x |
API security |
|
x |