Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Learning to Love WAFs

A qualified love to be sure, but Web app firewalls do have their uses

11:10 AM -- For the last few years I've snickered and jeered at people who have bought into the concept of WAFs. I've broken past every one I've seen, and found none of them to be particularly effective at solving any major problems.

Here's why: They add a single point of failure, they can't find anything they don't know to look for, and they tend to block things without a significant amount of tuning. My opinion stayed steadfast for over a year -- that was until a few days ago.

During a routine audit of a company, it became clear that the site was in far more danger than I originally thought, with more than 1,000 attack points against its Web application. It was clear that despite having a small army at their disposal this would be a tough task even with significant resources. It's just too human intensive. Further, the site is a huge target. Time to think outside the box.

WAFs have two distinct functions that are outside of what a normal Web server has. The first is the ability to make quick changes outside of typical change-control processes put in place by large companies.

That's particularly true when thinking about seasonal change control freezes to insure stability for publicly traded companies that do a large amount of e-commerce. Being able to make quick, temporary patches to the Web application without jeopardizing the entire application is a sexy alternative.

The second function is the ability to do matching for a single malicious string across different applications using regular expressions or anomaly detection. To do this inside a Web server would be significantly more complex without modifications to the Web server itself (i.e., mod security, which technically is a WAF). So after it's all said and done, I honestly believe there is a good reason to install and use a WAF in a production environment.

For enterprises looking for a long-term strategy of short-term fixes, this is a great stop-gap. Does it protect against everything? No. Will it introduce complexity, another device to support, additional points of failure, and cost? Yes. Will I continue to recommend it? In the situation mentioned above, I'm a convert. I still have my doubts about the technology as a whole, but I'm happy to have a solution for my client.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...