If we look to the Payment Card Industry Data Security Standard (PCI DSS) for some guidance, we see that it offers...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
two options to protect Web applications: a review of all Web application code, or the deployment of a WAF. It goes on to say "Proper implementation of both options would provide the best multi-layered defense."
Taking your two example enterprises, the first, with a mature software security program, will no doubt already perform source code reviews and vulnerability assessments but could probably still benefit from installing a WAF. The second enterprise should definitely consider installing a WAF, as it's less likely to have the staff with both the extensive application development experience and security expertise required to carry out internal code reviews.
A good security policy will define your objectives and requirements of how you want to secure your data. Since each Web application is unique, risk mitigation must be tailored to the specific application, protecting against the potential threats identified during the threat-modeling process. To ensure a Web application firewall deployment will provide a real benefit, be sure to review which risks it will safeguard against. And from there you can decide which security devices are appropriate to meet those requirements.
It can, however, be difficult to compare the different WAFs once you have narrowed down your choices to a shortlist. Thankfully, the Web Application Security Consortium (WASC) develops and advocates standards for Web application security. They have created the Web Application Firewall Evaluation Criteria (WAFEC), the aim of which is to provide a way for someone to compare one firewall to another. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF product.
WAFs, though, aren't a cure-all. They won't protect against application logic flaws or underlying network and operating system-level vulnerabilities. And there are ongoing costs, too. Network administrators must learn how to install, configure and maintain it. You'll also need to ensure that your IT department has the resources to deal with any attacks it identifies, as well as its day-to-day administration. For example, WAFs have more extensive logging capabilities than older packet filter firewalls. Administrators will need time to make the most of this additional information.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
Is cookie encryption enough to protect sensitive information? Expert Michael Cobb explains how salted hashes can prevent attacks, and the secure way ...continue reading
A vulnerability was found in the Blackphone's Icera modem. Expert Michael Cobb explains how attackers could hijack the device, and if this would ...continue reading
Oracle is killing off the Java browser plug-in due to security risks. Expert Michael Cobb explains the next steps for enterprises with Java-based ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.