If we look to the Payment Card Industry Data Security Standard (PCI DSS) for some guidance, we see that it offers two options to protect Web applications: a review of all Web application code, or the deployment of a WAF. It goes on to say "Proper implementation of both options would provide the best multi-layered defense."
Taking your two example enterprises, the first, with a mature software security program, will no doubt already perform source code reviews and vulnerability assessments but could probably still benefit from installing a WAF. The second enterprise should definitely consider installing a WAF, as it's less likely to have the staff with both the extensive application development experience and security expertise required to carry out internal code reviews.
A good security policy will define your objectives and requirements of how you want to secure your data. Since each Web application is unique, risk mitigation must be tailored to the specific application, protecting against the potential threats identified during the threat-modeling process. To ensure a Web application firewall deployment will provide a real benefit, be sure to review which risks it will safeguard against. And from there you can decide which security devices are appropriate to meet those requirements.
It can, however, be difficult to compare the different WAFs once you have narrowed down your choices to a shortlist. Thankfully, the Web Application Security Consortium (WASC) develops and advocates standards for Web application security. They have created the Web Application Firewall Evaluation Criteria (WAFEC), the aim of which is to provide a way for someone to compare one firewall to another. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF product.
WAFs, though, aren't a cure-all. They won't protect against application logic flaws or underlying network and operating system-level vulnerabilities. And there are ongoing costs, too. Network administrators must learn how to install, configure and maintain it. You'll also need to ensure that your IT department has the resources to deal with any attacks it identifies, as well as its day-to-day administration. For example, WAFs have more extensive logging capabilities than older packet filter firewalls. Administrators will need time to make the most of this additional information.
This was first published in August 2009