Everything you’d want to look for in a web application firewall.
Did you know that it can take up to 5 months to patch even the most critical vulnerabilities? The Web Application Security Statistics Report states that most companies fix critical vulnerabilities in 146 days on average.
Would hackers wait for your developers to patch code? Even if they have time on hand, wouldn’t you want that time to be spent on more critical business functions? That’s why you need an effective and cost-efficient cloud WAF.
According to the Open Web Application Security Project (OWASP), WAF applies a set of rules to an HTTP conversation to block common attacks. It means that a Web Application Firewall (WAF) is designed to patch application weaknesses. It stops attacks exploiting cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection without development/code changes in the application.
Sounds easy, right? However, with dozens of WAF vendors and a lack of relevant technical guides, companies often struggle with finding the right product. Our security analysts along with industry experts have come up with this guide specifically for companies comparing different WAF products. Here are the features that should be at the top of your checklist.
(with hybrid deployment model)
In 2008, Arizona State University published a revolutionary article on the future of cloud computing. They compared SaaS models with electricity.
When you plug in a toaster, you do not have to think how far the electrons traveled from the source (coal/nuclear/hydro powered station) in order to power your home. You know that the power is there, and you can pay for the usage every month. You probably will never wonder what the costs of setting up such a power plant would be.
Web application firewall (and the entire SaaS industry) has evolved in a similar fashion. Earlier, when you had to invest in on-premise WAFs, only multimillion-dollar organizations could afford it.
As the online businesses flourished, security concerns and requirement grew too. Not every online company would want to spend such huge sums on the installed device that would also require software upgrades. It’s slow, costly, and unnecessary.
Today, WAFs is the top choice for exponentially-growing online businesses who desire ease of deployment and lower monthly costs.
Additionally, it is also important to support a hybrid deployment model in order to enable your transition towards the cloud (if required) and it cannot happen overnight. You simply cannot delay security choices during the migration to the cloud nor can you make an investment in an on-premise deployment if it does not support the transition to the cloud at no additional cost.
One of the main barriers of cloud WAF adoption is the concern that there could be an impact on performance and response time of the website due to an additional hop. This is a valid concern but can be easily mitigated based on certain capabilities the cloud WF can enable. Most cloud WAF provider should provide an option to enable a CDN along with the WAF service at no additional cost. This ensures that you can actually get a boost in website performance along with security as most of the sites (even the dynamic ones) have more than 75% static content that can be served automatically from the closest edge from where the user is browsing. Also check if the cloud WAF infrastructure is hosted and built on existing public cloud architectures such as AWS or Azure, as it ensures they can and will automatically be able to enable multiple region support quickly to ensure the entire content including the dynamic ones is served in the most optimal manner to end user and thereby providing a no trade-off website security offering.
Ensure that across all these deployment models there is a centralized console for management and visibility of the application security provided to the customers.
Distributed denial of service (DDoS) attacks make an online service unavailable. Such attacks exploit numerous zombie/compromised/hacked systems or other network resources. By definition, every website is vulnerable to DDoS attacks.
DDoS attacks cost up to $100, 000 per hour and if you are planning on comparing a web application firewall, it’s desirable to have some kind of DDoS protection from these attacks.
Modern, intelligent WAFs monitor your traffic continuously to protect against Layer 3, 4 and 7 attacks. Their global threat database feeds attack history and threat intelligence to your WAF for protection.
(based on application risks with quick, managed protection)
Suppose there is an exclusive vulnerability in your application (OWASP calls it Business Logic Flaws) and you want the WAF to cover it. How difficult would that be?
There are several web application firewall vendors that charge for creating custom rules on a per request basis. That would be frustrating and costly if you have a complex website requiring several rules. Also, make sure the guarantee provided by the vendor will check for false positives. The responsibility of testing and putting them in block mode should not rest solely with the customer but also with the vendor providing those rules and security policy updates. Look for vendors who back their custom rule services with a Zero False positive assurance backed with a Service Level Agreement (SLA).
Ideally, the web application firewall should allow you to request custom rules from the portal without creating a fuss about it or charging you for each request. Ensure that you compare this feature from different WAF vendors before paying.
Enabling WAF policies without an understanding of your application vulnerabilities may put your application at high risk. It is important that the WAF provides an integrated offering to include security testing of your application and an integrated offering to instantly protect against those risks, along with the option to request custom rules.
Also, the WAF must come with default policies that can be deployed in BLOCK mode from day-1 so that most of the common attacks can be blocked instantly.
Security intelligence is an unparalleled asset.
It helps you build stronger web applications that can guard requests, protecting critical data. WAF logs are critical to building a central security intelligence repository.
While a basic web application firewall act as robots blocking requests based on prewritten rules, intelligent WAFs give you the power of decision-making.
It’s a no-brainer. You wouldn’t want to purchase a critical tool such as a web application firewall without a trial. After all, you will only gauge potential benefits and/or product compatibility issues after the onboarding.
Ensure that the WAFs that you compare have a full feature trial option without “money-back” or “we need a card for authentication” prerequisites. You wouldn’t want to enter a credit card for 3 different subscriptions for trial and end up being charged for them.
Ideally, a full-feature WAF trial should include everything that it has to offer for testing, but you can also settle for the following:
Whether you are a startup, a small business, or a booming giant, web application firewalls have become a modern online business necessity. Irrespective of your company’s patching capabilities, you cannot afford risks with customer data, financial transactions, and asset availability.
Also, the WAF has to facilitate the customer journey into cloud adoption by allowing hybrid deployment models but with the cloud benefit of a centralized pane for visibility of security posture across all web application independent of where the firewall is deployed
According to Gartner, using a SaaS-based managed web application firewall such as AppTrana is a good alternative for enterprises that do not want to procure new hardware and have time to hire and train staff to manage it.
Get Instant Protection, Continuous Management & Zero False positive WAF. Start a Free Trial
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.