This research paper provides a detailed approach for effectively deploying, managing, and integrating a Web Application Firewall into your application security program. Our research shows that WAFs have a bad name, not because of any specific technology flaw, but mostly due to mismanagement. So we wrote Pragmatic WAF Management to cover how WAFs work, why some customers fail to derive value, and how to effectively deploy a WAF to secure applications from the increasing variety of web-based attacks. This excerpt summarizes the paper:
Every time someone on the Securosis team writes about Web App Firewalls we create a firestorm. The catcalls come from all sides: “WAFs suck,” “WAFs are useless,” and “WAFs are just a compliance checkbox product.” Usually this feedback comes from penetration testers who easily navigate around the WAF during their engagements and other factions who find their situations complicated by the presence of a WAF. The people we’ve spoken with who actively manage WAFs – both employees and third party service providers – acknowledge the difficulty of managing WAF rules and the challenges of working closely with application developers. But at the same time, we constantly engage with dozens of companies dedicated to leveraging WAFs to protect applications. These folks understand how WAFs positively impact their overall application security approaches, and are looking for more value from their investment by optimizing their WAFs to reduce application compromises and risks to their systems.
We want to thank Alert Logic for licensing this research.