Across the past few decades, the Web Application Firewall (WAF) has become a universally owned tool within security toolkits. Nearly all large enterprises own and maintain WAF to protect data and assets from cyber attackers.
Traditionally, using a WAF simply necessitated deploying it in front of an app. Done. However, modern software development lifecycles have enabled DevOps teams to publish frequent updates. How can the traditional WAF keep pace?
“It’s the worst-kept industry secret that WAFs aren’t all that they’re cracked up to be in the modern world of agile development,” says expert TJ Gonen.
A WAF cannot keep pace with regular application updates. Managing a WAF has morphed into a labor-intensive and complex issue.
If the WAF is dead, how should security professionals proceed? How can organizations prevent web applications from inviting hackers in, like a welcome sign over the front door of Fort Knox? Given that DevOps will keep rapidly churning out new code, how can professionals determine whether or not WAF is worth the maintenance, or whether it’s done for?
Let’s look at what it would take for WAF to keep pace with DevOps
Although network security primarily focused on monitoring static networks, which rely on identical protocols, WAFs were intended to protect web applications that are not identical. Every application is unique and each piece of code has its own intricacies. As a result, each one typically also comes with its own set of vulnerabilities.
Prior to the introduction of cloud storage and the new DevOps approaches to lifecycle management, WAFs were known as mediocre security solutions. Inevitably, with a solution that sits infront of an app rather than inline, contextual analysis is impossible. Without context for understanding the app’s behavior, it’s impossible to determine how to evolve a WAF in parallel with an application.
Education and Rethinking
Machine learning only solved challenges to a certain degree. Despite the fact that sophisticated WAFs require “only” a month to learn a baseline of an application, a month is a significant length of time for an app to exist unprotected. In these situations, humans must step in to help calibrate the WAF. However, the heavy lifting for administrators, in the form of creating alerts and exceptions, taxes IT resources.
Innovate, automate or decimate
Can your WAF truly safeguard a web application from a logic attack, without any human intervention? With continuous software delivery, it’s not feasible. Most WAFs are not in alert mode. Enabling WAFs to block high volumes of alerts will result in alert fatigue. While an administrator can do some fine-tuning, organizations ultimately end up with a security solution that cannot auto-deploy to prevent new logic attacks as the app evolves.
Go fast or get lost
Cloud computing is all about agile processes. Projects that required two weeks in 2015 now take mere seconds. By relying on microservices, organizations can completely transform their apps in just a few minutes. In this new world, it is not the best choice to use a standard pre-cloud application security solution that depends on learning or manual configurations.
When developers tweak code and then hit publish, it’s a unilateral move that fails to put security first.
Organizations using a WAF are relying on the assumption that everything in the environment is generic. In such cases, the WAF is defunct and it’s time to call the florist. The WAF is dead and DevOps killed it. Don’t believe it? Run a forensic analysis to see if your WAF has a pulse or if you’re merely carrying deadweight.
For more on firewalls, check out our firewall Buyer’s Guide.