Why WAFs are Going Wrong
More than half of business WAF users are not happy with their WAF. Learn why, and how to stop it happening to you.
A mere 40 per cent of organisations are entirely happy with their web application firewall (WAF), according to a new Ponemon Institute report, which goes on to expose some of the wider tensions between basic and sophisticated security stances.
The report found that while 66 per cent of respondent organizations consider the WAF a vitally important security tool, 43 per cent of enterprises use WAFs only to generate alerts, as opposed to blocking attacks. Arguably as a direct result, a massive 86 per cent experienced application-layer attacks that bypassed their WAF in the last 12 months.
Web Application Firewall is a must-have security control to protect your web applications against most common attacks. However, WAF remains a basic security mechanism that is not designed to protect from sophisticated web attacks or advanced exploitation vectors. Attacks involving business logic, authentication or access control are by definition undetectable by WAF without special and time-consuming configuration.
llia Kolochenko, CEO of ImmuniWeb commented: “The core problem is a fragile balance between false-positives (erroneously blocked innocent requests) and false-negatives (missed malicious requests). Often, business has zero-tolerance to block legitimate customers as it inflicts direct financial losses, such as customers leaving to competitors after seeing a bizarre error on a payment page. Worse, business is much less sensitive to successful attacks bypassing WAF, as their damage is often incognizable and delayed in time. Therefore, many organizations have to keep their WAF in a log-only mode, being flooded with gigabytes of alerts at the end of the day. Ultimately, a WAF becomes virtually worthless instrument and a pain-point of security teams.”
The Ponemon Institute report commissioned by Cequence Security bears this out, finding that managing legacy WAF deployments is perceived as complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
In spite of this, the report found that WAF users had consistent needs they would like to be met by the next generation of application security devices, with 72 per cent of respondents wanting more intelligence and automation integrated into their WAF. Meanwhile, a significant 74 per cent want to see WAF functions integrated with other application security functions into an AI-powered software platform.
Kolochenko continued: “Emerging Machine Learning technologies can solve many common problems via intelligent automation, but it will not be a silver bullet. WAF should be complemented by continuous security testing to timely detect new security flaws before they are spotted and exploited by the attackers."
These findings gel with Gartner 2018 Magic Quadrant predictions in 2018, which noted that “by 2023, more than 30 per cent of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection, and WAFs. This is an increase from fewer than 10 per cent today.”
The analysts also reported that “By 2020, stand-alone WAF hardware appliances will represent fewer than 20 per cent of new WAF deployments, which is a decrease from today’s 35 per cent.”
Another factor against WAF deployment is the challenge of cost, which is still significant. In total, organizations spend an average of $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.
“The research clearly reveals WAF dissatisfaction in three areas,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.”
As pointed out in Immuniweb’s own Top 10 Most Vulnerable WordPress Plugins research, although cloud WAF services such as Wordfence are hugely popular and respected, their success can be a double-edged sword. Wordfence currently has more than two million active installations, which is quite a prize for an attacker. Wordfence saw multiple new flaws discovered in September 2018, including several XSS vulnerabilities and a file-path disclosure error, all of which have been promptly patched - yet another powerful reason to ensure all software is maintained up-to-date.
That said, WAF adoption is still far from universal - of the thousands of websites tested by Immuniweb’s free security testing tool in the last year alone, a massive 95.76 per cent did not have a WAF enabled.