Why is Tuning a Web Application Firewall (WAF) Challenging?

Today, websites and web applications are judged on the basis of user experience, which is directly proportional to the time, hassle, and costs to the users and the level of security and privacy guaranteed. So, web application security and WAF (web application firewall) is not a luxury or ‘good-to-have’ commodities anymore; security is paramount for all organizations and WAF, is an indispensable part of the security process.

Why is it important to tune a WAF?

To understand the importance of tuning a web application firewall, we must first understand how web application firewall works. The WAF is the first line of defense at the edge and protective shield between the application and the web traffic. Its functioning is dependent on the specific set of rules called policies that tell the WAF which vulnerabilities, gaps, attack behaviors to look for, what to do if these are found, how to protect the application, etc.

It is, therefore, important to tune a WAF for the following reasons.

• Business needs and risk profiles vary widely for different organizations. So, the WAF policies must be customized and tuned to these specific needs and profiles of the organization.
• Developers make changes to codes and the application features and the WAF needs to be equipped for these fast-paced changes.
• The threat landscape is fast-changing as the attackers are leveraging technology to fund new and innovative ways to orchestrate attacks.
• The applications are built on different web development frameworks and each of the frameworks has its strengths and drawbacks. The gaps in the framework will impact the security level of the application itself and the rules of the WAF must be tuned accordingly.
• Only 41% of the traffic is known to be originating from humans and the rest are bots. Tuning the policies and settings of the WAF is critical to identifying bad bots and improving the security posture of the application. More importantly, WAF should also ensure it does not prevent a good bot (example search engines)

Why is it challenging to tune a web app firewall?

The biggest conundrum with deploying a web application firewall is that it must keep away bad actors, botnets, and malicious traffic from accessing/ snooping the web application but in the process, it must not block legitimate traffic from accessing the website/ web application. If a business has to make a tradeoff between availability and security most likely they will choose availability as without availability securing the website is of no use.  Ensuring the WAF policies are designed to not have any false positives requires special expertise and coordinated working between the application team and the security experts throughout the lifecycle of the application development.

With the fast-changing threat landscape and nature of attacks, if the set of rules aggressively works with the blacklisting model alone, the possible outcome is a high number of false positives – valid requests getting denied. These false positives are adversarial to the very logic and purpose of deploying a web app firewall. Too many false positives indicate that the WAF is doing the same thing that a successful attack will do and is, therefore, counterproductive for the business employing it. The web app firewall and its rules must be custom-built and tuned on a regular basis to ensure zero false positives. AppTrana offers an intelligent WAF which is built with surgical accurate rules written by security experts who work with the application team to ensure Zero WAF false positives…

The next challenge in tuning the web app firewall permeates from the speed at which developers the change code, add and remove features and introduce updates to the application. As mentioned earlier, websites and web applications are judged by users on the basis of the user experience rather than colors and designs. Users expect speed, agility, and security from the applications. Growth-oriented organizations and developers strive to keep their applications and UX on par with or edgier than competitors to drive more traffic and ensure more conversions. So, the policies must be tuned such that it minimizes overhead and performance impact for good traffic

Apart from the known vulnerabilities, there are vulnerabilities that arise from business logic flaws that are specific to every business. The WAF policies need to be configured to tackle these vulnerabilities as well. For this, security experts need to understand how the business operates and how the changes in business policies will affect the application.

Tuning a web application firewall can also be challenging due to a lack of visibility, real-time insights, and security analytics that security personnel can use to tune the rules. Comprehensive solutions like AppTrana which also provides manual Pen testing provides complete visibility into business logic flaws and offer 24×7 visibility of the risk posture along with security analytics and real-time insights which are leveraged by the security experts to tune the WAF on a regular basis to ensure that the security solution is effective. Tuning ensures besides preventing the applications from attacks and exploits, it allows only relevant traffic to be processed by the backend application and they do not have to pay for bandwidth for irrelevant traffic or have noise in their logs with irrelevant data. A fully managed web application firewall with continuous tuning can hence be thought of as providing optimization and agility to the core business on top of ensuring it is protected from attacks.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.