In part two of our interview with Dustin Larmeir, director of security engineering at TierPoint, we dive into how a web application firewall (WAF) improves IT security, what types of organizations use WAFs, and one downside to beware of.
Read the first part of the Q&A series ‘What is a Web Application Firewall?’ – where Dustin explains what a web application firewall is, the types of applications a WAF protects, and the types of attacks a WAF blocks.
Why you need a web application firewall
Interviewer: Why would an organization with a web server need a web application firewall?
Dustin: We’re all human. A web application firewall, or WAF, is an insurance policy against human errors in the software development process and an important part of securing the software development lifecycle. A WAF is a key extension to a defense-in-depth security model, and provides protection against vulnerability exploitation and advanced layer 7 denial of service attacks
As humans, we’re imperfect. When we write code, we introduce vulnerabilities, some of which are not caught immediately. A web application firewall protects the organization from coding mistakes until they can be fixed. A web application firewall, security scanning of web applications, and a code analysis review program are three necessary elements to secure your software development lifecycle.
A defense-in-depth security model takes a multi-layer approach to your IT security defenses. Each layer drives up the skill required of the threat actor attempting to exploit the data, making your environment more difficult to penetrate. A WAF is important for a multi-layer security strategy.
A web application firewall also provides protection from third-party software bugs and zero-day vulnerabilities. For example, if you have a WordPress blog and WordPress releases an update with a security vulnerability – an exploit – your blog is at risk. You’ll need to apply a patch, but maybe WordPress hasn’t released an update yet, or you can’t update your WordPress blog right now for some other reason, such as a customization that may break with a new version. A WAF signature database could take that known exploit and apply a patch at the WAF level to prevent exploitation of the vulnerability until you are able to update WordPress.
Blocking advanced layer 7 denial of service attacks, the type of denial of service attacks, or attacks against the application layer, is another protection provided by a web application firewall. A WAF can defend against application attacks ranging from low-and-slow HTTP attacks to HTTPS SSL GET floods and POST floods, for example.
These types of enterprises need a WAF the most
Interviewer: What types of businesses typically need web application firewalls?
Dustin: Any business with personally identifiable information (PII) and those with industry standards or regulatory compliance such as PCI, HIPAA and HITECH should absolutely have a web application firewall. These types of businesses have a lot to lose, including costly fines if they don’t protect customer information.
Businesses that must comply with payment card industry (PCI) regulatory compliance standards have a good use case for a web application firewall, because PCI DSS 6.6 specifically calls out the need for advanced web application security – that’s basically a call for a web application firewall.
In healthcare with HIPAA and HITECH, while HIPAA doesn’t specifically state that these types of businesses need a WAF, it would be big oversight to not have one, because of costs from of a breach of healthcare records – business-ending event for SMBs [small and medium businesses]. It makes good business sense to have a web application firewall in those scenarios.
If you collect any PII, or personally identifiable information – such as user names, addresses, phone numbers, social security numbers and anything like that – even if you aren’t subject to regulatory compliance, if the data you collect is sensitive, you should probably have a web application firewall in front of that environment.
A web application firewall does more than just block attackers. Some WAF technologies can mask sensitive data during an attempt to exfiltrate the data – so even if a threat actor gets in, they can be prevented from exfiltrating the most sensitive data. The Radware AppWall, for example, can mask social security numbers or custom numbers that you enter into the system, through its own logic. In this way a web application firewall can mitigate some of the risk of a programming error.
Managing a WAF is complex
Interviewer: Are there any downsides to owning a web application firewall?
Dustin: A big downside is the complexity of management. If you are managing a web application firewall yourself in house, that management can be very specialized and require a unique skill set. For example, the administrator of a WAF needs to have a combination of knowledgebases: software development, web applications, web servers, security, and best practices around web applications security.
Managing a WAF requires a deep understanding of false positives versus legitimate blocks, because there are tradeoffs between positive and negative security models, and you could accidentally block too much or too little if the person managing the website lacks experience.
In the positive model, for example, you identify who you will let in and block everyone else. That could result in blocking legitimate users, called false positives. Reducing the false positives involves more management overhead and more time spent tuning and keeping the rules up to date.
In a negative security model, you identify who you want to block, and let everyone else in. That may result in a failure to block malicious users, so although a negative security model will have less WAF management overhead, your site may be subject to more malicious activity.
What platform are you protecting? It might make sense on a marketing website, for example, to use a negative security model to minimize false positives and avoid restricting your audience. On the other hand, if you have a portal with sensitive data, it would make sense to implement a positive security model and make sure that the controls are tighter – though that will require more management.
There is a trade-off either way: less security and less overhead, or tighter security and more overhead. Both have valid use cases. Some companies reach out to IT security service providers such as TierPoint to design, deploy and manage their web application firewalls.
More on web application firewalls
In the third blog post in this Q&A series, we’ll look at computing trends impacting the future of web application firewalls.