Attackers may target Web applications as much as they ever did, but there are increasing questions about how best to fit Web application firewalls into corporate defenses. Some security consultants have found they aren't worth the expense and effort needed to purchase, implement and manage them, given the disruption they can cause in enterprise network operations. Plus, without real attention to proper tuning, savvy hackers can often...
breeze past them.
Jason Haddix, HP Fortify's director of penetration testing, noted that "even good WAFs [Web application firewalls] can go wrong." He said his team "recently did an evaluation of the top 10 WAFs and found they can be bypassed the majority of the time due to configuration flaws."
The cautionary tone about WAFs comes, ironically, at a time when attacks against Web applications make up an increasing percentage of port-based attacks. According to the Akamai's latest State of the Internet report (for the second quarter of 2013), attacks against Web application ports 80 and 443 increased, putting them in spots one and two among the ten most-attacked ports. Since Akamai first began releasing the reports in 2008, this was the first time Microsoft-DS, port 445, wasn't in first place.
WAFs have emerged -- at least in part -- as an antidote to the difficulty of improving the security of Web applications themselves. Even with groups such as the Open Web Application Security Project (OWASP) evangelizing the importance of integrating security into the Web development process -- and with OWASP releasing a yearly "top 10" report in order to raise awareness of the most critical risks -- it's still an uphill battle.
WhiteHat Security's Website Security Statistics Report from May 2013 indicated that while the average number of serious vulnerabilities decreased per website from previous years, "… 86% of all websites tested [using] WhiteHat Sentinel [application scanning tool] had at least one serious vulnerability." According to a survey from Forrester Research of 50 EU enterprises, the talent and time necessary to build in security is difficult to find, with 80% of organizations indicating they lack the internal expertise necessary.
The challenges presented in securing Web applications are the impetus for recommendations from analyst firms such as Gartner for the implementation of a WAF. According to their report on the WAF market, published in June 2012, WAF sales amounted to approximately $278 million in 2011, up %17 from the previous year. Companies seem to want the extra layer of protection offered by WAF, and the Forrester survey indicated that in most organizations, a WAF is usually implemented or on the roadmap.
But is this Band-Aid approach effective? Respected security advisory firms Gartner and Securosis noted several specific barriers to an effective WAF deployment. When applying any new security control, there's a fear of affecting applications and the user experience and the business processes they enable. Gartner specifically warned of overly restrictive WAF policies causing disruptions when the application is changed, ultimately resulting in a loosening of standards and therefore less effective protection.
According to the Securosis report, Pragmatic WAF Management: Giving Web Apps a Fighting Chance, WAF management becomes the center of a push-pull: security operations versus developers and standards versus nimble, fast changes.
Some of these problems could be the result of unrealistic expectations, according to Securosis, especially if an organization is simply trying to find a cheaper way to deploy application security. Frequently, the root cause is a failure to understand that compliance initiatives and security don't always overlap.
But the most significant roadblock to a successful WAF implementation may be a human one. The integration of this technology into an environment requires increased resources, which many smaller organizations simply don't have. Gartner noted that WAFs come with a high initial deployment cost compared to other technologies. This is partly due to hardware or software licensing costs, but more attributable to the required expertise of personnel who can manage a WAF effectively.
In a 2011 report, application security consultant Larry Suto evaluated six WAFs and determined their average effectiveness to be 62% -- after configuration by an expert. He recommended – in order to provide the maximum benefit -- that WAFs "be tuned by a trained professional." He also advised their use in conjunction with other application security tools, such as dynamic analysis security testing, static analysis security testing, risk management and an intrusion prevention system.
HP Fortify's Haddix agreed that WAFs require care and feeding by experts: "We looked into how WAF's determine what addresses they need to check and not check. We found that some were configured to read this through HTTP headers, which can be completely forged by the attacker. We simply told the WAF's that the connections were coming from 127.0.0.1 (the home address of the WAF itself), and it wouldn't filter our traffic. This wasn't a technical hack, but an intended 'feature' that a lot of deployments were leaving open to attackers.
"It just goes to show," Haddix added, "you need someone to understand the WAF in depth, just like 10 years ago when you had a dedicated IDS [intrusion detection system] guy on staff to monitor that emerging technology."
Tony Bourke, a private consultant specializing in Unix administration and networking, said he has the same concerns about WAFs: "For me, as a consultant, they're kind of like toddlers in a fine-china shop. You can't just put them somewhere and then take your eye off of them. You turn your back for a minute and they can get into lots of trouble -- expensive trouble."
Greg Ferro, a freelance consultant and author of the EtherealMind blog, went so far as to say he "won't work on WAFs for liability reasons." Developers, he said, are dismissive of security requirements and unsure how to communicate about them with infrastructure managers.
"DevOps takes some steps in the this direction to solve the communication gap," Ferro said, "but ultimately, DevOps means the death of WAF, since it will be replaced by automated and unit testing in the software as part of the continuous deployment tool chain. Instead of post-fixing a fault code, DevOps promotes the idea of continuous integration and testing that would detect common security flaws that WAFs [are] meant to address."