Over the past few months, I’ve spoken with dozens of people in the industry about the monitoring and protection of Web applications after deployment in production. Having spent most of my professional life in the world of the SDLC (Software Development Life Cycle), this was a new world for me.
One thing that stood out for me in all of these conversations was that, when discussing web application protection, the subject of WAFs (Web Application Firewalls) is unavoidable. The WAF is fairly mature technology; its typical embodiment is an appliance that sits in front of an application, like a guard securing the entrance to a building. At the heart of its functionality is a database of signatures used to differentiate the "good" traffic from the "bad". And sadly, the big takeaway from my conversations with application security professionals was that WAFs are failing in their basic task of protecting applications. Many organizations now only use WAFs in monitoring mode, having given up on the limitations of the technology and the products.
In a now slightly dated, but still accurate and relevant paper "Pragmatic WAF Management: Giving Web Apps a Fighting Chance", Adrian Lane at Securosis summarizes the problems with WAFs in production thus:
"Frequent releases and application changes require continuous maintenance of WAF rules". "Absence of skills, resources, or time leads to incorrect, or insecure configurations". "Configuration / operation issues lead to disabling of protection with monitoring enabled for compliance purposes".
The paper argues that "the most serious problems with WAF are not about technology, but with management." The rapid adoption of dynamic Web technologies by the development community makes the life of the WAF administrator more and more difficult. To be successful, protective technology must be adaptable to the business, not the other way around.
Emerging technologies like Runtime Application Self-Protection (RASP) aim to improve or completely replace WAFs. This move towards the full integration of protective technologies in the development environment seems like a move in the right direction, just as it was with memory management more than a decade ago. Perhaps prophetically, a recent blog post "WAF is dead, long live RASP" by Anand Chavan, CEO of GuardX, concludes that "if you are in the Web Application Firewalls / Intrusion prevention system space, get out ... it's dead!"
Effective Web Application Protection
To further explore the validity of this prophecy, I invited two experts in the field with extensive experience in Web Application Firewalls and Runtime Application Self-Protection: John Stauffacher and Mario Contestabile and asked them to share some of their experiences this Thursday, February 4th.We will talk about what security administrators need to focus on when configuring and managing WAFs for protection, get a brief overview of RASP, and answer as many questions from the audience as we possibly can.
Register here to join the conversation and learn how to better protect your applications and stay ahead of the game: