Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/14/2007
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Wait for WAFs

Web application firewalls are a first step in getting on top of Web security - but these devices still have a ways to go

Could there be a WAF (Web application firewall) in your future? After some false starts in the past, WAF time could be near, experts say.

Enterprises are having trouble balancing the need to patch newly discovered Website vulnerabilities while also adding new Web features and code to keep their sites fresh, observers say. "Websites are completely riddled with vulnerabilities," says Jeremiah Grossman, CTO of WhiteHat Security , which estimates that 7 out of 10 Websites have cross-site scripting flaws, and 8 out of 10 are generally vulnerable to attack.

Most enterprises don't have the resources to generate new code, functions, and business processes while fixing flaws at the same time, Grossman says. "Unless the end of the world is going to happen for a company, it's a struggle to get vulnerabilities fixed. They need a Plan B."

WAFs could be Plan B if they have the right features, Grossman says. "WAFs have their challenges, but we need them to work," he says. "It's an interim solution that gives us some relief and time" to fix vulnerabilities and Web app code, he explains.

WAF technology is still maturing, and remains a rarity for most Websites today. The trouble with many WAFs is there's no way for a Web administrator configuring one to know everything about a Web application. "Web apps are complex. He can't configure it correctly so it starts blocking things it doesn't know about," says Mark Kraynak, director of product marketing for Imperva Inc. , which sells a WAF. Plus these apps are constantly changing -- anywhere from five to 15 times a week for ecommerce apps, with new categories or pricing, for instance.

"Applications change so much that a static WAF model can't keep up," he says. And early products put undue strain on an application, sometimes crashing it and requiring constant management and configuration. "The good news is that better solutions exist that don't break your apps."

Imperva's SecureSphere uses "dynamic profiling," which automatically adapts to changes in the application so that the Web admin doesn't have to do so manually, and so that the firewall won't block or let in the wrong traffic. It builds a "model of legitimate behavior" in an app, Kraynak says. And the firewall is less intrusive to the Web app than earlier iterations of WAFs, he says.

Although most WAFs are standalone devices, they could eventually become part of load balancers or other types of switches. Grossman says to look for companies like F5 Networks Inc. (Nasdaq: FFIV) and Cisco Systems Inc. (Nasdaq: CSCO) to go this route with WAF technology.

So what exactly can a WAF do for a Website today? It could wipe out the majority of pervasive cross-site scripting and SQL injection flaws, Grossman says -- about 70 to 80 percent of them. "Then the security guys have to prioritize the other vulnerabilities to fix them. They can make better use of their time, and don't have to block everything all the time."

WhiteHat runs Breach Security Inc. 's open-source, software-based ModSecurity firewall for its Web app security service clients. It provides an extra layer, Grossman says, using a set of rules White Hat defined for traffic. "Do we expect it to block everything? No."

Breach Security late last month released a commercial appliance version of ModSecurity called ModSecurity Pro M1000. Kevin Overcash, vice president of product management at Breach, says regulatory pressures such as PCI are starting to drive WAF adoption. And the technology is improving: "It's matured now to the point where we're doing a lot of correlating to reduce false positives and to eliminate the blocking of a legitimate transaction," he says.

ModSecurity's firewall also detects defects in an application design, he notes. "We see the entire app."

But experts feel Web application firewalls have a long way to go until they are stable. "The technology needs to continue maturing before it's ready for mainstream acceptance," says Grossman.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...