A beginner’s FAQ on WAF

Website security is a topic that to any kind of beginner greatly resembles quicksand. Dip your toe in and the next thing you know you’re flailing around in over your head and wondering which way is up. That’s precisely why FAQs on essential solutions like WAFs exist, though, so you can get your bearings and keep from ultimately drowning in liquified soil. Or never even attempting to learn about website security and suffering a data breach, which might be worse than that whole drowning in soil thing.

What is a WAF?

A WAF is a web application firewall. It’s a solution designed to shield websites from application security threats by examining its incoming traffic – monitoring and filtering for suspicious activity and blocking attack attempts.

WAFs tend to be positioned at the edge of a network so they can act as a gateway for all incoming traffic. This ensures attack traffic never reaches the application. This also generally ensures that no changes need to be made to the application when a WAF is deployed, making the process easier.

Does my website need a WAF?


Could you tell me why?

Okay, also yes. From a WAF standpoint, websites fall into two basic categories: the ones that need a WAF, and the ones that really need a WAF.

Websites that need a WAF are ones that need to be protected from attack attempts and other malicious traffic like bad bots because of the consequences that can stem from malicious traffic being permitted to mess around a website. This can include spamming, content scraping and modifying page content (some of which can redirect users to malware), all consequences that can be bad for the owners of even small websites, not to mention their users. An owner of a Game of Thrones fan website that attracts 50-75 users per month, for instance, may think her website is too small or unimportant to attract hacking attempts, and she may be right, but bad bots are indiscriminate and they will do their dirty work anywhere they’re able.

Websites that really need a WAF are the ones that store any kind of sensitive data, whether it is that of a business, the website itself or its users. Web application attacks are the number one cause of data breaches, which makes them the number one cause of angry users, bad publicity and possibly even civil lawsuits and regulatory fines.

What are the major threats a WAF protects against?

If you haven’t already gotten to know and hate the OWASP Top 10, now is the time. The OWASP Top 10 are the most critical threats to web applications. Perennial leading threats include SQL injection, which is when an attacker injects an SQL query into a database, allowing the attacker to modify or read sensitive data, execute admin operations and issue commands to the operating system in extreme but unfortunately common cases, and XSS or cross-site scripting, which is when an attacker fools a browser into accepting data from a malicious source which then allows the attacker to take over a user session. Consequences of a successful XSS attack include modified page content that leads to users inputting private data, compromised user accounts and the activation of Trojan horses.

A leading web application firewall will protect against the entire OWASP Top 10 as well as zero-day threats, which are attacks that take place in the window of time between when a vulnerability is discovered and when the developer becomes aware of it and issues a patch. Zero day threats are essentially unknown vulnerabilities, which makes protecting against them difficult but essential.

What should I look for in a WAF?

Ideally, you want a WAF that is easily deployed at the edge of a network, one that features customizable rules to best meet your site’s specific needs and places an emphasis on eliminating false positives in order to keep from frustrating legitimate users with things like CAPTCHA requests. Some leading WAFs even offer advanced features like virtual patching, which automatically applies new patches on the edge of the network in order to win the race against hackers while you handle patching the application at your own pace.

Owners of websites that accept or process credit card payments should also look for a WAF that is PCI (payment card industry) certified.

Is a WAF all I need?

Oh, that it could be so simple. A web application firewall is an integral component of website security, to be sure, and even if that is the only security component a website has it is a huge improvement over, well, nothing. However, a website will be most effectively protected by a full security perimeter. In addition to a WAF this can include using HTTPS and DDoS mitigation.

Staying out of the liquified soil

No one is ever going to pretend that website security is a simple topic. It isn’t, and as websites and businesses grow, website security grows in complexity alongside them. However, for many websites, a solid grasp on the basics like web application firewalls is enough to prevent that discombobulating quicksand plunge as well as even more hideous things like data breaches, cross site scripting and content scraping.

You must be logged in to post a comment