For evaluating the web application firewall, I would be looking at things. First, credibility is very important. So, you can’t just pick a product; it’s like you’re going to be the first user and integrate it into your product because it’s the only option. It’s typically just a wrong decision. You want to see some credibility.
Performance right out of the gate, like you will disqualify products immediately, is not the most important thing in evaluation. But if you don’t have it, there’s no point continuing.
So like, I would try to see some proof that scale is working, what’s the overheads and milliseconds different stages.
Then a super practical challenge for firewalls is out-of-the-box rules, like who designed them and how much support we will have in keeping that firewall running.
Because it typically comes with a human cost, like you’re purchasing a firewall, but the biggest overheads will be how many people will be managing it.
Supporting, troubleshooting, maintenance costs, out-of-the-box rules, and hints like how previous customers had experience with that company, like managing it.
And as a rule, it’s like I represent a technology company; I don’t want to be in the business creating a firewall, right?
You just can’t do everything and should be laser-focused on your business. I should understand it to lead that correctly, but I shouldn’t be doing my own firewall.
So I would like to work with an expert who thought about the rules and best practices and then bring it up to the table.
I the last one, I say deployment options are very important because you mentioned in a previous question how we deal with situations when things are not in our system with those third-party components. I think this and that’s where it depends on how important security is for you. Like in the banking sector, it’s the utmost priority.
So our design choices had to be assuming that it would happen, and you cannot act like you were surprised one day when it happened, so we went with a very granular service like infrastructure provider AWS.
This is the biggest reason we didn’t use a Google Cloud because the granularity of your configurations, network configurations, and level of control of the components is extremely fine-tuned. You can go at any level you want, which drives our choices because we want to be able to carve out problems ourselves and mitigate them while waiting for the solution.
Switch to an alternative service. And yeah, when it comes to firewalls, we even use some sort of firewalls on different levels, like another type of firewalls, and we’ll have backup options.