It can be all too easy to play Monday morning quarterback about an entire plethora of topics. Hindsight is, after all, 20/20, especially when it’s someone who was not at all involved in the incident using that hindsight. You drove into a ditch swerving to avoid a squirrel? You shouldn’t have swerved for a squirrel. You shouldn’t have eaten fried chicken that had been sitting out all day. You shouldn’t have bet against Rocky in Rocky II. Easy for you to say, Mr. Perfect.
Some mistakes, however, occur so frequently and with such disastrous consequences, observers cannot be blamed for their incredulity or their could’ves, should’ves and would’ves. Such as when yet another website or business suffers a tremendous data breach that one single solution could’ve gone a long way to preventing. Yes, it’s time to learn about the web application firewall.
WAF it’s all about
A web application firewall or WAF is a security solution designed to protect websites from web application threats, which are the threats that stem from malicious incoming traffic. Web applications are the client-server programs website users interact with using a web browser so they face traffic ranging from normal website users to good bots, bad bots, and outright attack attempts.
WAFs go to work at the edge of the network and monitor all of that incoming traffic for suspicious activity, filtering or blocking when appropriate before any traffic ever reaches the web application. This keeps malicious traffic or attack traffic from doing its intended damage. It also keeps the implementation of a WAF from being a big deal as it generally does not require any changes to the web application.
The protection particulars
A big part of what WAFs do is protect against the OWASP Top 10, the biggest threats to web applications. This list tends to be headed by threats like SQL injections, which allow an attacker to read or modify sensitive data by injecting an SQL query into a database. In some cases, an attacker may even be able to use these injections to issue commands to the operating system or execute administrative operations. A cross-site scripting or XSS attack is also a perennially common OWASP Top 10 threat, allowing attackers to take over a user session by tricking a browser into accepting malicious data, often resulting in compromised user accounts or stolen private data.
A web application firewall can also protect against zero-day threats, which are attacks that occur between when a vulnerability is discovered and when it is patched. This is because leading WAFs can automatically apply patches at the edge of the network, protecting unpatched applications. This also ensures that old vulnerabilities that businesses have neglected to patch will also be protected against.
Consequences of a WAF-less website
Not only are web applications the leading source of data breaches, but successful attacks and intrusions on a web application have a way of making organizations look foolish. The OWASP Top 10 doesn’t change much year to year, so when a business loses data to a successful SQL injection, for example, they’re being affected by one of the single most known threats on the internet. Experiencing a data breach due to an unpatched vulnerability is arguably even worse, because vulnerabilities can and are exploited months and years after they were discovered and had a patch issued.
One famous example of a failure to patch leading to a massive disaster is the Equifax data breach, which saw the private data of 143 million Americans compromised between May and June of 2017 through a vulnerability that was discovered and had a patch issued in March.
In short, without a web application firewall, organizations are not only risking attacks like data breaches and the multi-million dollar consequences that can accompany them, but they’re also at risk of looking really, really stupid when it happens.
The predictable future
No one likes a day-after know-it-all, but when it comes to web application firewalls and the well-known threats and devastating consequences they can protect against, it’s more like foresight that’s 20/20, not hindsight.
A leading WAF that’s easy to deploy, has customizable rules and features virtual patching makes a world of difference for websites of all sizes, protecting users, user loyalty, business reputation and so much more. Unlike betting against Rocky, this one is a sure thing.