Today, websites and web applications are judged on the basis of user experience, which is directly proportional to the time, hassle and costs to the users and the level of security and privacy guaranteed. So, web application security and WAF (web application firewall) is not a luxury or ‘good-to-have’ commodities anymore; security is paramount for all organizations and WAF, is an indispensable part of the security process.
To understand the importance of tuning a web application firewall, we must first understand how web application firewall works. The WAF is the first line of defense at the edge and protective shield between the application and the web traffic. Its functioning is dependent on the specific set of rules called policies which tell the WAF which vulnerabilities, gaps, attack behaviors to look for, what to do if these are found, how to protect the application, etc.
It is, therefore, important to tune a WAF for the following reasons.
The biggest conundrum with deploying a web application firewall is that it must keep away bad actors, botnets and malicious traffic from the accessing/ snooping the web application but in the process, it must not block legitimate traffic from accessing the website/ web application. If a business has to make a tradeoff between availability and security most likely they will choose availability as without availability securing the website is of no use. Ensuring the WAF policies are designed to not have any false positives requires special expertise and coordinated working between the application team and the security experts throughout the lifecycle of the application development.
With the fast-changing threat landscape and nature of attacks, if the set of rules aggressively works with the blacklisting model alone, the possible outcome is a high number of false positives – valid requests getting denied. These false positives are adversarial to the very logic and purpose of deploying a web app firewall. Too many false positives indicate that the WAF is doing to the same thing that a successful attack will do and is, therefore, counterproductive for the business employing it. The web app firewall and its rules must be custom-built and tuned on a regular basis to ensure zero false positives. AppTrana offers an intelligent WAF which is built with surgical accurate rules written by security experts who work with the application team to ensure Zero WAF false positives…
The next challenge in tuning the web app firewall permeates from the speed at which developers the change code, add and remove features and introduce updates to the application. As mentioned earlier, websites and web applications are judged by users on the basis of the user experience rather than colors and designs. Users expect speed, agility, and security from the applications. Growth-oriented organizations and developers strive to keep their applications and UX on par with or edgier than competitors to drive more traffic and ensure more conversions. So, the policies must be tuned such that it minimizes overhead and performance impact for good traffic
Apart from the known vulnerabilities, there are vulnerabilities that arise from business logic flaws that are specific to every business. The WAF policies need to be configured to tackle these vulnerabilities as well. For this, security experts need to understand how the business operates and how the changes in business policies will affect the application.
Tuning a web application firewall can also be challenging due to a lack of visibility, real-time insights and security analytics that security personnel can use to tune the rules. Comprehensive solutions like AppTrana which also provides manual Pen testing provides complete visibility into business logic flaws and offer 24×7 visibility of the risk posture along with security analytics and real-time insights which are leveraged by the security experts to tune the WAF on a regular basis to ensure that the security solution is effective. Tuning ensures besides preventing the applications from attacks and exploits, it allows only relevant traffic to be processed by the backend application and they do not have to pay for bandwidth for irrelevant traffic or have noise in their logs with irrelevant data. A fully managed web application firewall with continuous tuning can hence be thought of as providing optimization and agility to the core business on top of ensuring it is protected from attacks.
At Indusface, Vivek owns the product roadmap and is responsible for gathering and prioritizing product and customer requirements, defining the product vision, working closely with engineering, sales, marketing and support to build and release the product and ensuring revenue and customer satisfaction goals are met. A technologist with 6+ years of product management experience and 10+ years of total professional work experience, Vivek has worked with domestic and international start-ups with proven ability to define, design and develop technology products, and effectively market product benefits and capabilities to customers.