What is WAF?

And why is WAF an effective security strategy for business success?

What is WAF Security?

A WAF, or web application firewall, defends the Layer 7 perimeter. In other words, a WAF is responsible for securing business-critical web applications from the OWASP Top 10, zero-day threats, known or unknown vulnerabilities, as well as an array of other application layer attacks. As organizations undergo new digital initiatives and expand the attack surface to enable business, they often find that new web applications and APIs become exposed. A WAF helps to keep these applications and the content they access secure.

Why a WAF Is Critical for Organizations

Digital innovation (DI) efforts that are driving increased use of web technologies require a fundamental change in the way that organizations conduct business using digital technology. Successful DI is more than simply deploying technology—it requires a focus on customer needs and a willingness to embrace rapid change, including rapid adoption and deployment of the technologies that help organizations meet those customer needs. Public cloud and software-as-a-Service (SaaS) solutions, for example, can help organizations accelerate businesses when properly used. Yet, as rapid adoption of these technologies increases the speed of business operations, security is sometimes sacrificed, leaving web applications at risk.

As users increasingly access business applications using unknown bring-your-own-devices (BYOD) on networks that are not controlled with VPN access, organizations must recognize that traditional perimeter security solutions are not adequate for protecting internet-facing applications. Organizations running business-critical applications require a solution that addresses the Layer 7 perimeter. A WAF is the solution that protects these applications and data.

What Types of Threats Does a WAF Prevent?

Modern web applications require a comprehensive WAF to protect important application against multiple types of threats, including the Open Web Application Security Project, or OWASP Top 10, which, “represents a broad consensus about the most critical security risks to web applications.”  The OWASP Top 10 includes:

Injection attacks
When untrusted data is sent to an interpreter, an attacker can inject malicious code.
Broken authentication
If authentication mechanisms are not implemented properly, attackers can expose these vulnerabilities.
Sensitive data exposure
Since many web applications and APIs lack data security, attackers can exploit sensitive financial, healthcare, and personal information.
XML external entities (XXE)
Many legacy XML processors evaluate extremal entities, which can be leveraged to disclose internal files.
Broken access controls
When user access and restrictions are not enforced, unauthorized users can potentially access confidential files.
Security misconfiguration
Default or ad-hoc configurations can lead to security misconfigurations that lead to vulnerabilities.
Cross-site scripting (XSS)
When an application includes untrusted data without validation, XSS flaws occur that can be used to perform attacks.
Insecure deserialization
Leads to remote code execution which can be used to perform attacks.
Using components with known vulnerabilities
Components often run with the same privileges as the application. If a vulnerability occurs, all components and applications can be compromised.
Insufficient logging and monitoring
Logging and monitoring that does not integrate with an incident response technology creates insufficient processes.

 

However, taking the OWASP Top 10 into consideration is just the beginning. OWASP describes the Top 10 as a list of the most pervasive risks that organizations should tolerate. Modern WAF security must go further to address threats outside the scope of the OWASP Top 10, including:

Bots
Programs that interact with our applications and often mimic human interaction. Good bots may be allowed to interact with an application, and include: search engines, virtual assistants, and content aggregators (e.g., price comparison sites). Bad bot activity can include: web scraping, competitive data mining, personal and financial data harvesting, account takeover, digital ad fraud, and transaction fraud.
Malicious uploads
Many web applications allow users to upload their own content, which can include a variety of malicious code payloads.
Unknown vulnerabilities
Signature-based solutions cannot protect against newly discovered vulnerabilities. A robust WAF solution must be able to defend against threats for which no signatures exist.
Zero-day attacks
Attacks that target previously unknown flaws in an application. When a threat actor discovers a zero-day vulnerability, they can use it to exploit systems that do not have additional defensive measures in place, such as a WAF.
Distributed Denial of Service (DDoS)
The use of a large number of systems, often a botnet of compromised computers, to overwhelm an application so that it cannot respond to user requests. DDoS attacks can attempt to simply overwhelm the system with traffic or may attempt to exploit a flaw in the application logic to achieve the same result.

   

How a WAF Delivers API Protection

The days of basic web sites serving up simple HTML pages have passed. Web applications today deliver mission-critical services using APIs that provide a richer, more responsive experience by letting the client process raw data instead of just rendering simple HTML. These APIs also support the mobile applications that users need to access, thus requiring a WAF to ensure they are protected from threats. Giving the client access to that amount of data, there is the potential to increase the impact if an attacker finds a way to exploit the API if a WAF is not in place.

 

WAF for Compliance

Making the data that web applications rely on available to the application often comes with compliance obligations. A WAF helps organizations meet compliance standards as well. PCI DSS, for example, defines a set of security standards that organizations handling credit cards must comply with, and PCI 6.6 specifically will often come up when discussing WAF technologies.

The standard requires inspection of input to web applications that interact with card data be inspected, and offers two options: either application code reviews (which can have the impact of slowing down deployments) or deployment of a WAF between the client and the web application. In a world where organizations are expected to frequently and rapidly deploy code changes as they adopt DevOps methodologies, a robust WAF will often be a better solution for meeting this type of compliance requirement.  

Advanced WAF Capabilities

Organizations must also protect data from modern threats, all while minimizing any friction to the end user experience. Frustrating user experiences include being blocked based on false positives, or navigating excessive CAPTCHA prompts to prove user authentication. The following advanced WAF capabilities can ensure an optimal user experience:

Machine learning

Traditional application learning techniques require manual tuning and are prone to false positives. Tuning applications every time there is a change and remediating false positives drives up administrative overhead for teams that may already be overburdened. Machine learning with a WAF can change the game by automatically modeling real web application behavior. By updating that model automatically as the web application evolves, security teams spend less time manual tuning the WAF and creating exceptions based on false positives.

Advanced reporting

Simply blocking a site or application is not enough—organizations need full visibility into event details that a WAF can provide. Attack logs should include the critical information SOC analysts need, such as the HTTP body info and clear indications on why a request was blocked.

 

APIs for Orchestration With a WAF

In addition to protecting the internet-facing APIs of business applications, an advanced WAF solution must provide its own APIs for managing the WAF itself

Choosing the right WAF

 

AWS WAF with FortiWeb WAF Rules

FortiWeb Cloud WAF as a Service

Backed by Fortiguard Labs threat intelligence

x

x

OWASP Top 10 protection

x

x

Delivered on AWS infrastructure

x

x

API WAF management

x

x

Bot mitigation

x

x

DDoS protection

x

x

Optional FortiSandbox integration

 

x

File protection

 

x

Information leak prevention

 

x

Cross site request forgery (CSRF) protection

 

x

Content delivery network (CDN) included

 

x

Web socket security

 

x

Attack log export to external SIEM

 

x

API security

 

x