Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/14/2007
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Wait for WAFs

Web application firewalls are a first step in getting on top of Web security - but these devices still have a ways to go

Could there be a WAF (Web application firewall) in your future? After some false starts in the past, WAF time could be near, experts say.

Enterprises are having trouble balancing the need to patch newly discovered Website vulnerabilities while also adding new Web features and code to keep their sites fresh, observers say. "Websites are completely riddled with vulnerabilities," says Jeremiah Grossman, CTO of WhiteHat Security , which estimates that 7 out of 10 Websites have cross-site scripting flaws, and 8 out of 10 are generally vulnerable to attack.

Most enterprises don't have the resources to generate new code, functions, and business processes while fixing flaws at the same time, Grossman says. "Unless the end of the world is going to happen for a company, it's a struggle to get vulnerabilities fixed. They need a Plan B."

WAFs could be Plan B if they have the right features, Grossman says. "WAFs have their challenges, but we need them to work," he says. "It's an interim solution that gives us some relief and time" to fix vulnerabilities and Web app code, he explains.

WAF technology is still maturing, and remains a rarity for most Websites today. The trouble with many WAFs is there's no way for a Web administrator configuring one to know everything about a Web application. "Web apps are complex. He can't configure it correctly so it starts blocking things it doesn't know about," says Mark Kraynak, director of product marketing for Imperva Inc. , which sells a WAF. Plus these apps are constantly changing -- anywhere from five to 15 times a week for ecommerce apps, with new categories or pricing, for instance.

"Applications change so much that a static WAF model can't keep up," he says. And early products put undue strain on an application, sometimes crashing it and requiring constant management and configuration. "The good news is that better solutions exist that don't break your apps."

Imperva's SecureSphere uses "dynamic profiling," which automatically adapts to changes in the application so that the Web admin doesn't have to do so manually, and so that the firewall won't block or let in the wrong traffic. It builds a "model of legitimate behavior" in an app, Kraynak says. And the firewall is less intrusive to the Web app than earlier iterations of WAFs, he says.

Although most WAFs are standalone devices, they could eventually become part of load balancers or other types of switches. Grossman says to look for companies like F5 Networks Inc. (Nasdaq: FFIV) and Cisco Systems Inc. (Nasdaq: CSCO) to go this route with WAF technology.

So what exactly can a WAF do for a Website today? It could wipe out the majority of pervasive cross-site scripting and SQL injection flaws, Grossman says -- about 70 to 80 percent of them. "Then the security guys have to prioritize the other vulnerabilities to fix them. They can make better use of their time, and don't have to block everything all the time."

WhiteHat runs Breach Security Inc. 's open-source, software-based ModSecurity firewall for its Web app security service clients. It provides an extra layer, Grossman says, using a set of rules White Hat defined for traffic. "Do we expect it to block everything? No."

Breach Security late last month released a commercial appliance version of ModSecurity called ModSecurity Pro M1000. Kevin Overcash, vice president of product management at Breach, says regulatory pressures such as PCI are starting to drive WAF adoption. And the technology is improving: "It's matured now to the point where we're doing a lot of correlating to reduce false positives and to eliminate the blocking of a legitimate transaction," he says.

ModSecurity's firewall also detects defects in an application design, he notes. "We see the entire app."

But experts feel Web application firewalls have a long way to go until they are stable. "The technology needs to continue maturing before it's ready for mainstream acceptance," says Grossman.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.