A Web Application Firewall (WAF) is an intermediary device sitting between a web-client and a web server that analyzes messages for violations according to a programmed security policy (Web Application Security Consortium). It analyzes OSI Layer-7 messages for violations in the programmed security policy. In this way, it protects the web server from attacks including cross-site scripting and SQL injection.
WAFs are getting plenty of attention among an increasingly security-minded business community, despite analysts' observation that the product space is still a challenge to define. Only last month, Gartner approved research on a Magic Quadrant on WAF with a target release date of Q4. Many WAF-focused products provide functionality above the "standard" WAF definition while other non-WAF focused venders are adding WAF capabilities to provide a more integrated solution.
Companies are finally beginning to realize that the vast majority of attacks are targeted at the application layer, which may explain growing interest in WAFs. As well, PCI DSS compliance can be achieved with WAFs as an option to code reviews.
Our research shows WAFs are an essential part of application security, along with regular scans and code reviews. WAFs can be configured according to the finding of web scans to provide even better security.
How does a company choose a WAF? Companies can start with two main questions:
1) What sort of functionality is required for my applications and my organization?
2) What sort of time and resource commitment is needed to tune the WAF and ensure it is working effectively?
They'll need to consider things like frequency of false positives, types of vulnerabilities detected, out-of-box setup and capability, learning mode capability, configurability, scalability and performance.
We suggest that before an organization makes a purchasing decision on a WAF, they first consult with experts on what kind of product will meet their needs and how it can be deployed.
Contributed by Karen Chiang, PCIS Program Manager
WEBINAR INVITATION: Want to learn more about WAFs and whether a WAF solution would be effective for your organization? Register for our Case for Security webinar coming up on July 8: Fundamentals of Web Application Firewalls
Vaclav Vincalek June 26th, 2009 10:01:00 AM