Web application firewalls
WAFs inspect inbound and outbound traffic to an application and enforce a security policy meant to prevent attackers from compromising the site. Security techniques implemented by WAFs vary, but a practical WAF should include both positive security (allow only URLs, parameters, field values, cookies and methods which are known to be good) and negative security (block usage that is known to be malicious). Advanced WAFs combine these two types of security rules as well as correlate multiple user behaviours to increase accuracy. Also, the product must automate the creation and ongoing maintenance of the application profile, otherwise administrators would have to manually configure and tune the entire application white list or profile.
Because a WAF can be deployed without affecting the application and without engaging outside consultants to review application code, WAF is a faster and more cost-effective approach to Web application security. As the head of Vonages information security, Marc Appelbaum, put it in a podcast, WAF is constant application security, whereas other things, such as code reviews or even vulnerability scans, are point-in-time snapshots of an environment.
Firstand lastline of defence
There is no single tool that can offer complete security on all fronts. However, given the escalating number and sophistication of Web application attacks, a WAF makes an imperative first line of defence for preventing devastating application breaches.
A WAF can be deployed to provide immediate protection, and it can be quickly configured to adjust as applications and application attacks change. WAFs not only provide the most cost-effective first step, but a sound building block for the second step. Once a WAF is in place, code review projects can proceed at a controlled pace, reducing the risk of errors. WAFs also provide critical information on usage patterns and changes in them that can guide code review teams and point out obvious problems.
It is heartening to see signs of growing WAF awareness in the Asia-Pacific, going by statistics from Frost & Sullivan: WAF demand in the region grew 57.1 per cent year-on-year in 2009 to reach US$38.8 million, and is expected to grow further to US$117.3 million in 2012.
The increasing penetration of Web 2.0 into enterprises will demand better visibility and management of Web applications and data. By better understanding and taking the necessary precautions to meet the changing nature of cyber threats, businesses can more effectively bolster their data security efforts while preventing embarrassing leaks and unnecessary lawsuits.
Common Web application attacks you should beware of
Web application security solutions must provide protection against a range of attacks targeting vulnerabilities in both custom application logic and underlying commercial software platforms. Increasingly, these attacks also target vulnerabilities in Web services (XML, SOAP, etc.) components of application software. As the following example illustrates, a single threat such as identity theft may result from any number of vulnerabilities and associated attacks.
Sign up for Computerworld eNewsletters.