Is my security program ready for Web application firewall deployment?

BROWSE BY TAG Application Security,   Web Security Tools and Best Practices,   Web Application Security,   Application and Platform Security,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Preventing cross-site request forgery attacks Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Occasionally, I come across an organization that has taken the defense-in-depth approach to security too far. It's an organization that has every conceivable security device plugged into its network somewhere. While it's great to see security being taken seriously, this type of setup is never going to be cost-effective or efficient. With that said, it's good to hear you asking when Web application firewall deployment may be appropriate. Despite many vendors' claims, having the latest product isn't a guarantee of security.

If we look to the Payment Card Industry Data Security Standard (PCI DSS) for some guidance, we see that it offers two options to protect Web applications: a review of all Web application code, or the deployment of a WAF. It goes on to say "Proper implementation of both options would provide the best multi-layered defense."

Taking your two example enterprises, the first, with a mature software security program, will no doubt already perform source code reviews and vulnerability assessments but could probably still benefit from installing a WAF. The second enterprise should definitely consider installing a WAF, as it's less likely to have the staff with both the extensive application development experience and security expertise required to carry out internal code reviews.

A good security policy will define your objectives and requirements of how you want to secure your data. Since each Web application is unique, risk mitigation must be tailored to the specific application, protecting against the potential threats identified during the threat-modeling process. To ensure a Web application firewall deployment will provide a real benefit, be sure to review which risks it will safeguard against. And from there you can decide which security devices are appropriate to meet those requirements.

It can, however, be difficult to compare the different WAFs once you have narrowed down your choices to a shortlist. Thankfully, the Web Application Security Consortium (WASC) develops and advocates standards for Web application security. They have created the Web Application Firewall Evaluation Criteria (WAFEC), the aim of which is to provide a way for someone to compare one firewall to another. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF product.

WAFs, though, aren't a cure-all. They won't protect against application logic flaws or underlying network and operating system-level vulnerabilities. And there are ongoing costs, too. Network administrators must learn how to install, configure and maintain it. You'll also need to ensure that your IT department has the resources to deal with any attacks it identifies, as well as its day-to-day administration. For example, WAFs have more extensive logging capabilities than older packet filter firewalls. Administrators will need time to make the most of this additional information.