If we look to the Payment Card Industry Data Security Standard (PCI DSS) for some guidance, we see that it offers...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
two options to protect Web applications: a review of all Web application code, or the deployment of a WAF. It goes on to say "Proper implementation of both options would provide the best multi-layered defense."
Taking your two example enterprises, the first, with a mature software security program, will no doubt already perform source code reviews and vulnerability assessments but could probably still benefit from installing a WAF. The second enterprise should definitely consider installing a WAF, as it's less likely to have the staff with both the extensive application development experience and security expertise required to carry out internal code reviews.
A good security policy will define your objectives and requirements of how you want to secure your data. Since each Web application is unique, risk mitigation must be tailored to the specific application, protecting against the potential threats identified during the threat-modeling process. To ensure a Web application firewall deployment will provide a real benefit, be sure to review which risks it will safeguard against. And from there you can decide which security devices are appropriate to meet those requirements.
It can, however, be difficult to compare the different WAFs once you have narrowed down your choices to a shortlist. Thankfully, the Web Application Security Consortium (WASC) develops and advocates standards for Web application security. They have created the Web Application Firewall Evaluation Criteria (WAFEC), the aim of which is to provide a way for someone to compare one firewall to another. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF product.
WAFs, though, aren't a cure-all. They won't protect against application logic flaws or underlying network and operating system-level vulnerabilities. And there are ongoing costs, too. Network administrators must learn how to install, configure and maintain it. You'll also need to ensure that your IT department has the resources to deal with any attacks it identifies, as well as its day-to-day administration. For example, WAFs have more extensive logging capabilities than older packet filter firewalls. Administrators will need time to make the most of this additional information.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
Auto-rooting app LevelDropper has the ability to silently root devices and gain system level privileges. Expert Michael Cobb explains how to detect ...continue reading
IT asset tracking can be used to ensure devices stay in a precise location, or to trace missing devices. Expert Michael Cobb covers the most popular ...continue reading
Threat actors are moving from macro malware to using OLE technology to spread their malicious code. Expert Michael Cobb explains what enterprises ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.