If we look to the Payment Card Industry Data Security Standard (PCI DSS) for some guidance, we see that it offers...
two options to protect Web applications: a review of all Web application code, or the deployment of a WAF. It goes on to say "Proper implementation of both options would provide the best multi-layered defense."
Taking your two example enterprises, the first, with a mature software security program, will no doubt already perform source code reviews and vulnerability assessments but could probably still benefit from installing a WAF. The second enterprise should definitely consider installing a WAF, as it's less likely to have the staff with both the extensive application development experience and security expertise required to carry out internal code reviews.
A good security policy will define your objectives and requirements of how you want to secure your data. Since each Web application is unique, risk mitigation must be tailored to the specific application, protecting against the potential threats identified during the threat-modeling process. To ensure a Web application firewall deployment will provide a real benefit, be sure to review which risks it will safeguard against. And from there you can decide which security devices are appropriate to meet those requirements.
It can, however, be difficult to compare the different WAFs once you have narrowed down your choices to a shortlist. Thankfully, the Web Application Security Consortium (WASC) develops and advocates standards for Web application security. They have created the Web Application Firewall Evaluation Criteria (WAFEC), the aim of which is to provide a way for someone to compare one firewall to another. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF product.
WAFs, though, aren't a cure-all. They won't protect against application logic flaws or underlying network and operating system-level vulnerabilities. And there are ongoing costs, too. Network administrators must learn how to install, configure and maintain it. You'll also need to ensure that your IT department has the resources to deal with any attacks it identifies, as well as its day-to-day administration. For example, WAFs have more extensive logging capabilities than older packet filter firewalls. Administrators will need time to make the most of this additional information.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb ...continue reading
After a remote code execution flaw in PHPMailer was patched, the problem persisted, and had to be repatched. Expert Michael Cobb explains how the ...continue reading
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.