Could there be a WAF (Web application firewall) in your future? After some false starts in the past, WAF time could be near, experts say.

Enterprises are having trouble balancing the need to patch newly discovered Website vulnerabilities while also adding new Web features and code to keep their sites fresh, observers say. "Websites are completely riddled with vulnerabilities," says Jeremiah Grossman, CTO of WhiteHat Security , which estimates that 7 out of 10 Websites have cross-site scripting flaws, and 8 out of 10 are generally vulnerable to attack.

Most enterprises don't have the resources to generate new code, functions, and business processes while fixing flaws at the same time, Grossman says. "Unless the end of the world is going to happen for a company, it's a struggle to get vulnerabilities fixed. They need a Plan B."

WAFs could be Plan B if they have the right features, Grossman says. "WAFs have their challenges, but we need them to work," he says. "It's an interim solution that gives us some relief and time" to fix vulnerabilities and Web app code, he explains.

WAF technology is still maturing, and remains a rarity for most Websites today. The trouble with many WAFs is there's no way for a Web administrator configuring one to know everything about a Web application. "Web apps are complex. He can't configure it correctly so it starts blocking things it doesn't know about," says Mark Kraynak, director of product marketing for Imperva Inc. , which sells a WAF. Plus these apps are constantly changing -- anywhere from five to 15 times a week for ecommerce apps, with new categories or pricing, for instance.

"Applications change so much that a static WAF model can't keep up," he says. And early products put undue strain on an application, sometimes crashing it and requiring constant management and configuration. "The good news is that better solutions exist that don't break your apps."

Imperva's SecureSphere uses "dynamic profiling," which automatically adapts to changes in the application so that the Web admin doesn't have to do so manually, and so that the firewall won't block or let in the wrong traffic. It builds a "model of legitimate behavior" in an app, Kraynak says. And the firewall is less intrusive to the Web app than earlier iterations of WAFs, he says.

Although most WAFs are standalone devices, they could eventually become part of load balancers or other types of switches. Grossman says to look for companies like F5 Networks Inc. (Nasdaq: FFIV) and Cisco Systems Inc. (Nasdaq: CSCO) to go this route with WAF technology.

So what exactly can a WAF do for a Website today? It could wipe out the majority of pervasive cross-site scripting and SQL injection flaws, Grossman says -- about 70 to 80 percent of them. "Then the security guys have to prioritize the other vulnerabilities to fix them. They can make better use of their time, and don't have to block everything all the time."

WhiteHat runs Breach Security Inc. 's open-source, software-based ModSecurity firewall for its Web app security service clients. It provides an extra layer, Grossman says, using a set of rules White Hat defined for traffic. "Do we expect it to block everything? No."

Breach Security late last month released a commercial appliance version of ModSecurity called ModSecurity Pro M1000. Kevin Overcash, vice president of product management at Breach, says regulatory pressures such as PCI are starting to drive WAF adoption. And the technology is improving: "It's matured now to the point where we're doing a lot of correlating to reduce false positives and to eliminate the blocking of a legitimate transaction," he says.

ModSecurity's firewall also detects defects in an application design, he notes. "We see the entire app."

But experts feel Web application firewalls have a long way to go until they are stable. "The technology needs to continue maturing before it's ready for mainstream acceptance," says Grossman.

— Kelly Jackson Higgins, Senior Editor, Dark Reading