Here we have a perfect example of how a web application firewalls is supposed to work, courtesy of IT security manager Jeff Rice, testifying in the ComputerWorld article, We've been blind to attacks on our Websites.
The earnest executive knew that his company’s website was being scraped, but he needed more information:
The firewalls and IDS allow us to see some of what's going on, but can they really detect active content-based attacks? To find out, I installed a Web application firewall in my company's DMZ to tell us about active attacks that may not be identified by our other devices.
Sure enough, the WAF did what it was supposed to do. His report:
Our Web sites are being "scraped" by other companies -- our competitors! Some of the information on our sites is valuable intellectual property. It is provided online, in a restricted manner (passwords and such), to our customers. Such restrictions aren't very difficult to overcome for the Web crawlers that our competitors are using, because webmasters usually don't know much about security. They make a token attempt to put passwords and restrictions on sensitive files, but they often don't do a very good job.
Not only that, but the site was under constant attack from hundreds of SQL injection attacks every day.
Given his job title, Jeff probably wasn’t sleeping too well at night. But at least now he had the information to go back to his web developers and push them to build their site with better security in mind.
Their WAF’s findings furnished the proof management needed to begin fixing the known issues – no doubt with far less cost than if hackers perpetrated a successful data breach through the website (See Investment in Proactive Security Beats Cost of Doing Nothing). When you know where the problem is, it’s a lot easier to fix it.
Vaclav Vincalek October 13th, 2009 08:30:00 AM