Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/14/2007
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Wait for WAFs

Web application firewalls are a first step in getting on top of Web security - but these devices still have a ways to go

Could there be a WAF (Web application firewall) in your future? After some false starts in the past, WAF time could be near, experts say.

Enterprises are having trouble balancing the need to patch newly discovered Website vulnerabilities while also adding new Web features and code to keep their sites fresh, observers say. "Websites are completely riddled with vulnerabilities," says Jeremiah Grossman, CTO of WhiteHat Security , which estimates that 7 out of 10 Websites have cross-site scripting flaws, and 8 out of 10 are generally vulnerable to attack.

Most enterprises don't have the resources to generate new code, functions, and business processes while fixing flaws at the same time, Grossman says. "Unless the end of the world is going to happen for a company, it's a struggle to get vulnerabilities fixed. They need a Plan B."

WAFs could be Plan B if they have the right features, Grossman says. "WAFs have their challenges, but we need them to work," he says. "It's an interim solution that gives us some relief and time" to fix vulnerabilities and Web app code, he explains.

WAF technology is still maturing, and remains a rarity for most Websites today. The trouble with many WAFs is there's no way for a Web administrator configuring one to know everything about a Web application. "Web apps are complex. He can't configure it correctly so it starts blocking things it doesn't know about," says Mark Kraynak, director of product marketing for Imperva Inc. , which sells a WAF. Plus these apps are constantly changing -- anywhere from five to 15 times a week for ecommerce apps, with new categories or pricing, for instance.

"Applications change so much that a static WAF model can't keep up," he says. And early products put undue strain on an application, sometimes crashing it and requiring constant management and configuration. "The good news is that better solutions exist that don't break your apps."

Imperva's SecureSphere uses "dynamic profiling," which automatically adapts to changes in the application so that the Web admin doesn't have to do so manually, and so that the firewall won't block or let in the wrong traffic. It builds a "model of legitimate behavior" in an app, Kraynak says. And the firewall is less intrusive to the Web app than earlier iterations of WAFs, he says.

Although most WAFs are standalone devices, they could eventually become part of load balancers or other types of switches. Grossman says to look for companies like F5 Networks Inc. (Nasdaq: FFIV) and Cisco Systems Inc. (Nasdaq: CSCO) to go this route with WAF technology.

So what exactly can a WAF do for a Website today? It could wipe out the majority of pervasive cross-site scripting and SQL injection flaws, Grossman says -- about 70 to 80 percent of them. "Then the security guys have to prioritize the other vulnerabilities to fix them. They can make better use of their time, and don't have to block everything all the time."

WhiteHat runs Breach Security Inc. 's open-source, software-based ModSecurity firewall for its Web app security service clients. It provides an extra layer, Grossman says, using a set of rules White Hat defined for traffic. "Do we expect it to block everything? No."

Breach Security late last month released a commercial appliance version of ModSecurity called ModSecurity Pro M1000. Kevin Overcash, vice president of product management at Breach, says regulatory pressures such as PCI are starting to drive WAF adoption. And the technology is improving: "It's matured now to the point where we're doing a lot of correlating to reduce false positives and to eliminate the blocking of a legitimate transaction," he says.

ModSecurity's firewall also detects defects in an application design, he notes. "We see the entire app."

But experts feel Web application firewalls have a long way to go until they are stable. "The technology needs to continue maturing before it's ready for mainstream acceptance," says Grossman.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...