The Market Problem
With Cyber Crime now bigger than the Drug Trade, criminal gangs are organized skilled and motivated. Primarily they aim to ex-filtrate customer data from commercial databases using any means available to them.
Relying on the skill of your and/or 3rd party developers to firstly develop flawless code and then secondly fix any issue before it is exploited, is often not practical. Statistics (from Whitehat Security) reveal that for the 40% of companies that do get regular application security audits (Pen Tests), on average 11 vulnerabilities are discovered and on average these remain open for 300 days.
The criminals know this and are continually probing for issues. They do have a “hackers advantage” in that they can search for a specific flaw on all websites, where as a defender has to address all threat vectors. For this reason the gangs typically continually scan all web hosts looking for potential victims.
Breach reports indicate that currently between 25%-50% of breaches occur due to exploitable flaws in web applications.
This is not the only method used by criminals, but it is a significant one that needs to be defended.
How a Web Application Firewall Can Help
The Web Application Firewall (WAF) is a technology that has emerged to assist with this problem. A WAF can be configured to blacklist traffic ie use signatures to block malicious requests, and/or to whitelist traffic ie only allow defined pages, parameters, file types etc.
When configured correctly, a WAF can block a large number of generic technical exploitable flaws in a web application without requiring developers to remediate a single line of code.
WAFs do not address application logic flaws, that is a task for the Software Development community.
Given a WAF is typically deployed for externally facing applications where DDoS protection and CDN capabilities are also required, Cloud WAFs that combining these three capabilities have grown in popularity.
With these Cloud WAF services your security team is able to configure the WAF for your application, through templates, dashboards and APIs.
These services are typically promoted as a range of security controls that can scrub your traffic, but you still require the skills to optimise the tool itself.