Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/14/2007
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Wait for WAFs

Web application firewalls are a first step in getting on top of Web security - but these devices still have a ways to go

Could there be a WAF (Web application firewall) in your future? After some false starts in the past, WAF time could be near, experts say.

Enterprises are having trouble balancing the need to patch newly discovered Website vulnerabilities while also adding new Web features and code to keep their sites fresh, observers say. "Websites are completely riddled with vulnerabilities," says Jeremiah Grossman, CTO of WhiteHat Security , which estimates that 7 out of 10 Websites have cross-site scripting flaws, and 8 out of 10 are generally vulnerable to attack.

Most enterprises don't have the resources to generate new code, functions, and business processes while fixing flaws at the same time, Grossman says. "Unless the end of the world is going to happen for a company, it's a struggle to get vulnerabilities fixed. They need a Plan B."

WAFs could be Plan B if they have the right features, Grossman says. "WAFs have their challenges, but we need them to work," he says. "It's an interim solution that gives us some relief and time" to fix vulnerabilities and Web app code, he explains.

WAF technology is still maturing, and remains a rarity for most Websites today. The trouble with many WAFs is there's no way for a Web administrator configuring one to know everything about a Web application. "Web apps are complex. He can't configure it correctly so it starts blocking things it doesn't know about," says Mark Kraynak, director of product marketing for Imperva Inc. , which sells a WAF. Plus these apps are constantly changing -- anywhere from five to 15 times a week for ecommerce apps, with new categories or pricing, for instance.

"Applications change so much that a static WAF model can't keep up," he says. And early products put undue strain on an application, sometimes crashing it and requiring constant management and configuration. "The good news is that better solutions exist that don't break your apps."

Imperva's SecureSphere uses "dynamic profiling," which automatically adapts to changes in the application so that the Web admin doesn't have to do so manually, and so that the firewall won't block or let in the wrong traffic. It builds a "model of legitimate behavior" in an app, Kraynak says. And the firewall is less intrusive to the Web app than earlier iterations of WAFs, he says.

Although most WAFs are standalone devices, they could eventually become part of load balancers or other types of switches. Grossman says to look for companies like F5 Networks Inc. (Nasdaq: FFIV) and Cisco Systems Inc. (Nasdaq: CSCO) to go this route with WAF technology.

So what exactly can a WAF do for a Website today? It could wipe out the majority of pervasive cross-site scripting and SQL injection flaws, Grossman says -- about 70 to 80 percent of them. "Then the security guys have to prioritize the other vulnerabilities to fix them. They can make better use of their time, and don't have to block everything all the time."

WhiteHat runs Breach Security Inc. 's open-source, software-based ModSecurity firewall for its Web app security service clients. It provides an extra layer, Grossman says, using a set of rules White Hat defined for traffic. "Do we expect it to block everything? No."

Breach Security late last month released a commercial appliance version of ModSecurity called ModSecurity Pro M1000. Kevin Overcash, vice president of product management at Breach, says regulatory pressures such as PCI are starting to drive WAF adoption. And the technology is improving: "It's matured now to the point where we're doing a lot of correlating to reduce false positives and to eliminate the blocking of a legitimate transaction," he says.

ModSecurity's firewall also detects defects in an application design, he notes. "We see the entire app."

But experts feel Web application firewalls have a long way to go until they are stable. "The technology needs to continue maturing before it's ready for mainstream acceptance," says Grossman.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.