Web Application Firewalls and the False Sense of Security They can Create
Web Application Firewalls (WAFs) are an excellent last line of defense. Based on what I see in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to clients all the time. But…there’s more to the story.
Unfortunately, I’m seeing more and more people deploy WAFs to cover up – rather than cure – their web application warts and blemishes. Some people are deploying WAFs in lieu of performing security scans and penetration tests. It’s set it and forget it. This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. WAFs are today like firewalls were 10-15 years ago. They promise the world but bad guys far and wide know that they’ll likely find a way around their controls.
WAFs aren’t going to protect you against application logic flaws. In many situations, they won’t protect against manual manipulation of input validation and session management-related flaws. What about weak passwords in your Web application? Yet another flaw that may go unguarded.