Skip to content Skip to navigation Skip to footer

What is WAF Security?

A web application firewall (WAF) defends the Layer 7 perimeter from malicious traffic. In other words, a web application firewall is one of the tools responsible for securing business-critical web apps from the OWASP Top 10, zero-day threats, known or unknown application vulnerabilities, as well as an array of other web application layer attacks that impact the community.

As organizations undergo new digital initiatives and expand the attack surface to enable business, they often find that new web applications and application programming interfaces (APIs) become exposed to dangerous traffic due to web server vulnerabilities, a server plugin, or other issues exploited by OWASP Top 10 threats that aim to disrupt the business community. WAFs help to keep these applications and the content they access secure.

Why WAF's Are Critical for Organizations

Digital innovation (DI) efforts that are driving increased use of web application technologies require a fundamental change in the way that organizations conduct business using digital technology tools, particularly if they want to avoid the various OWASP Top 10 threats.

Successful DI is more than simply deploying technology by companies like Barracuda, Fortinet, and others—it requires a focus on the needs of customers and a willingness to embrace rapid change, including rapid adoption and technology deployment options that help organizations meet the needs of customers. These protections tend to come from a variety of sources, including Imperva, Nginx, Barracuda, and others.

Public cloud and Software-as-a-Service (SaaS) solutions, for example, can help organizations accelerate businesses when properly used and protected by strict security rules, such as those used by Barracuda defense systems or others in the cybersecurity community. Yet, as rapid adoption of these technologies increases the speed of business operations, web application security flaws and OWASP problems sometimes arise, leaving web applications at risk from threats hiding in internet traffic.

As customers increasingly access business applications using unknown bring-your-own-devices (BYOD) on networks that are not controlled with VPN access, organizations must recognize the risks. Even network firewalls can be vulnerable. Traditional perimeter application security tools are not adequate for protecting internet-facing applications from OWASP Top 10 dangers and other application vulnerabilities found in network traffic even though Barracuda can be an otherwise adequate solution for some users.

A new set of rules is needed. Organizations running business-critical applications require tools that address the Layer 7 perimeter. A web application firewall (WAF) is the solution that protects these applications and data.

What Types of Threats Do WAF's Prevent?

Modern web applications require a comprehensive web application firewall to protect important applications against multiple types of web attacks and other threats lurking in network traffic, including the Open Web Application Security Project, or OWASP Top 10, which, “represents a broad consensus about the most critical application security risks to web applications.” These are often leveraged to target a critical network appliance. The OWASP Top 10 includes:

Injection attacks
When untrusted data is sent to an interpreter, an attacker can inject malicious code.
Broken authentication
If authentication mechanisms are not implemented properly, attackers can expose these vulnerabilities.
Sensitive data exposure
Since many web applications and APIs lack data security, attackers can exploit sensitive financial, healthcare, and personal information.
XML external entities (XXE)
Many legacy XML processors evaluate extremal entities, which can be leveraged to disclose internal files.
Broken access controls
When user access and restrictions are not enforced, unauthorized users can potentially access confidential files.
Security misconfiguration
Default or ad-hoc configurations can lead to security misconfigurations that lead to vulnerabilities.
Cross-site scripting (XSS)
When an application includes untrusted data without validation, XSS flaws occur that can be used to perform attacks.
Insecure deserialization
Leads to remote code execution which can be used to perform attacks.
Using components with known vulnerabilities
Components often run with the same privileges as the application. If a vulnerability occurs, all components and applications can be compromised.
Insufficient logging and monitoring
Logging and monitoring that does not integrate with an incident response technology creates insufficient processes.

However, taking the OWASP Top 10 into consideration is just the beginning. OWASP describes the Top 10 as a list of the most pervasive risks that organizations should tolerate. Modern WAF security must go further to address threats outside the scope of the OWASP Top 10, including: 

Bots
Programs that interact with our applications and often mimic human interaction. Good bots may be allowed to interact with an application, and include: search engines, virtual assistants, and content aggregators (e.g., price comparison sites). Bad bot activity can include: web scraping, competitive data mining, personal and financial data harvesting, account takeover, digital ad fraud, and transaction fraud.
Malicious uploads
Many web applications allow users to upload their own content, which can include a variety of malicious code payloads.
Unknown vulnerabilities
Signature-based solutions cannot protect against newly discovered vulnerabilities. A robust WAF solution must be able to defend against threats for which no signatures exist.
Zero-day attacks
Attacks that target previously unknown flaws in an application. When a threat actor discovers a zero-day vulnerability, they can use it to exploit systems that do not have additional defensive measures in place, such as a WAF.
Distributed Denial of Service (DDoS)
The use of a large number of systems, often a botnet of compromised computers, to overwhelm an application so that it cannot respond to user requests. DDoS attacks can attempt to simply overwhelm the system with traffic or may attempt to exploit a flaw in the application logic to achieve the same result.

   

How WAF's Deliver API Protection

The days of basic websites serving up simple Hypertext Markup Language (HTML) pages have passed. Traffic has become more sophisticated. Web applications today deliver mission-critical services using APIs that provide richer, more responsive experiences by letting the client process raw data instead of just rendering simple HTML. These API tools also support the mobile applications that users in the community need to access, thus requiring a web application firewall (WAF) made by a company like Fortinet, Barracuda, or others to ensure they are protected from OWASP Top 10 threats, such as file inclusion vulnerabilities and others seeking to take advantage of internet traffic, a server plugin, or other vulnerabilities.

Giving the client access to that amount of application data, there is the potential to increase the impact if an attacker finds a way to exploit the API’s rules if WAFs by providers like Barracuda, AWS, or Cloudflare are not in place.

 

Traditional web application model
API-based applications that rely on more powerful clients and require a WAF.

WAFs for Compliance

Making the data that web applications rely on available to the application often comes with compliance obligations. WAFs help organizations meet compliance rules as well. Regardless of your service provider, whether it's AWS, Barracuda, Imperva, or another option, compliance needs to be a primary priority. 

Payment Card Industry Data Security Standard (PCI DSS), for example, defines a set of application security standards that organizations handling credit cards must comply with, and PCI 6.6 specifically will often come up when discussing web application firewall technologies designed to keep traffic and assets secure.

The standard requires inspection of traffic to web applications that interact with card data to be inspected and offers two options: either web application code reviews (which can have the impact of slowing down deployments) or deployment of WAFs between the client and the web application. These services are offered by several of the major providers, like Fortinet, Cloudflare, and Barracuda.

In a world where organizations are expected to frequently and rapidly deploy code changes as they adopt DevOps methodologies, a robust web application firewall (WAF) will often be a better solution for meeting these types of compliance rules while protecting the organization from OWASP Top 10 threats.

Advanced Capabilities of WAFs

Organizations must also use providers like Fortinet, Barracuda, or Cloudflare to protect data from modern OWASP threats, all while minimizing any friction to what the end user experiences as they interface with an application and its data traffic.

Frustrating OWASP threat experiences that customers deal with include being blocked based on false positives or navigating excessive CAPTCHA prompts to prove user authentication. The following advanced web application firewall capabilities can ensure optimal experiences for customers:

Machine learning

Traditional web application learning techniques require manual tuning and are prone to false positives. Tuning applications every time there is a change and remediating false positives drives up administrative overhead for teams and others in the organization's community that may already be overburdened. 

Machine learning with web application firewalls that examine cookies can change the game by automatically modeling real web application behavior. The behavior of users can be approximated by analyzing their cookies.  Further, by updating that model automatically as the web application evolves, application security teams and others in the IT department spend less time manual tuning the web application firewalls according to traffic and creating exceptions based on false positives.

Advanced reporting

Simply blocking a site or application to enhance application security is not enough to thwart OWASP threats—organizations need full visibility into event details that web application firewalls (WAFs) can provide. Attack logs should include the critical information that security operations center (SOC) analysts need, such as the Hypertext Transfer Protocol (HTTP) body information, any applicable cookie preferences, and clear indications on why security rules required an application request to be blocked.

 

An attack log detailing critical information via a WAF

APIs for Orchestration With a WAF

In addition to protecting the internet-facing APIs of business applications, an advanced WAF solution must provide its own APIs for managing the WAF itself

Choosing the right WAF

 

AWS WAF with FortiWeb WAF Rules

FortiWeb Cloud WAF as a Service

Backed by Fortiguard Labs threat intelligence

x

x

OWASP Top 10 protection

x

x

Delivered on AWS infrastructure

x

x

API WAF management

x

x

Bot mitigation

x

x

DDoS protection

x

x

Optional FortiSandbox integration

 

x

File protection

 

x

Information leak prevention

 

x

Cross site request forgery (CSRF) protection

 

x

Content delivery network (CDN) included

 

x

Web socket security

 

x

Attack log export to external SIEM

 

x

API security

 

x