The Web App Firewall Is Dead and We Know Who Killed It
The past couple of decades has turned the Web Application Firewall (WAF) into a ubiquitous piece of security kit. Any organization with a web application (which includes most large businesses) has a WAF installed, to protect their data and assets from being exploited and attacked. Best practice for securing web applications has evolved to simply deploying a WAF in front of your app. But in the current market, with the modern application lifecycle empowering DevOps to release updates at a much higher frequency, can the traditional WAF keep up?
It’s the worst-kept industry secret that WAFs aren’t all that they’re cracked up to be in the modern world of agile development. A WAF cannot keep up with application updates, which happen regularly, and maintaining a WAF has become labor-intensive and complex.
What is a Security Professional to do if the WAF is dead? What will prevent your web application from becoming the front door into your organization’s Fort Knox? Knowing that DevOps are going to keep spinning out new code, how can you figure out if your WAF is worth the maintenance or whether it’s dead in the water? Let us take a closer look at what it would take for your WAF to keep up with the speed of DevOps.
Context Is King
Where network security was all about monitoring static networks, which use the same protocols as one another, WAFs were designed to protect web applications that are distinctly different from one another. Every app is unique and each piece of code is different and nuanced with its own set of vulnerabilities. Even before the introduction of cloud storage and the breakneck speed of DevOp, WAFs were recognized as being only a mediocre security solution. Inevitably, using a solution that sits in front of the app rather than inline means that contextual analysis is impossible. With no context to understand the content within the app that is being interacted with, it’s impossible to automate the WAF’s evolution in parallel to the application’s evolution.
Education, Education, Education
Machine learning improvements only solved this conundrum to a degree. While sophisticated WAFs need “only” a month to silently sit and learn to create a baseline for the application, a month is a long time to leave an app unprotected. It is inevitable that humans need to step in and help to calibrate the WAF and that’s when the maintenance becomes heavy duty. If the WAF needs time to learn and create a baseline every time the content or code changes, there is a lot of heavy lifting for the administrator in order to reduce the alerts and create exceptions.
Automate or Disintegrate
On to the next question: can your WAF really protect a web application from logic attacks without human intervention? The answer is that with continuous delivery, it’s just not possible. The reality is that most WAFs are not in alert mode. It is too dangerous to allow them to over-block because the high volumes of alerts will create alert fatigue. Perhaps an administrator will do some minor fine-tuning so sensitive parts of the app are covered with blocking rules, but the rest of the app will be protected by the WAF in alert mode using pattern matching and other crude techniques. This adds up to a security solution that cannot auto-deploy to protect from new logic attacks as the app evolves.
Go Fast or Go Home
Cloud computing is about agility. What took two weeks to create back in 2015 now takes mere seconds. By leveraging microservices, you can dramatically change your app in a few minutes. In this new environment, it is absurd to consider using a standard pre-cloud application security solution that relies on learning or manual configurations.
Each time a developer tweaks code and sends it out into the wild, it is a unilateral move with no consultation with security personnel.
If you are using a WAF that relies on the assumption that anything in your environment is generic, your WAF is defunct and it is time to call in the undertakers. WAF is dead and DevOps killed it. Now’s the time to run a forensic analysis to figure out if your WAF has a pulse, or if you are carrying a deadweight.