- August 27, 2020
- 4 minute read
Cloud web application firewall is probably one of the most popular preventive and/or detective security controls for web applications today.
Hacking can sometimes be a mere child's play. Literally! Take a look at Troy Hunt, founder of breach site haveibeenpwned.com, teaching in 2012 his 3 year old boy how to hack a website using SQL Injection (SQLi) attack script. This kind of attack vector, the SQLi, has been around for a while. it is actually one of the oldest vectors, SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back In the December 1998 issue of Phrack, Forristal wrote about a series of issues with a version of Microsoft SQL server. When Forristal's fellow researcher told Microsoft of the problems, “their answer was, well, hilarious,” he wrote. “According to them, what you're about to read is not a problem, so don't worry about doing anything to stop it.”
Today, almost 16 years after it was first publicly disclosed, SQLi repeatedly sits at the number one spot of vulnerabilities in the OWASP Top 10 report, which is released every three years by the Open Web Application Security Project (OWASP) Foundation, a non-profit that monitors the threats that websites face. That method of attack (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data, is probably here to stay. It's been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies. with time passing by and lessons learned, one of the most secure solution to this kind of attack is the Cloud Web Application Firewall (WAF). it protects not just against SQL injection, but cross-site scripting (XSS) and zero-day attacks, including OWASP-identified vulnerabilities and threats targeting the application layer. A good WAF blocks millions of attacks daily, automatically learning from each new threat.
The Web Application Firewall (WAF) works by examining HTTP requests to your website. It looks at both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. You can decide whether to block, challenge or simulate an attack before it reaches your origin web server.
Taking into account that the average number of vulnerabilities on a website is 230 and 75% of all cyber attacks target web applications, a WAF is no longer an option reserved only for big corporations but a must for all companies with a web presence and a database.
The main benefit of a WAF is the subsequent protection of completed, productive web applications on the application level with a reasonable amount of effort and without having to change the application itself.
On the one hand, the WAF offers a basic protection against known attacks or vulnerabilities based on blacklists: The data security standard of the credit card industry (PCI DSS) for example, in its current version prescribes the use of a WAF - as an alternative to regular code reviews by a specialist - as an adequate measure to protect web applications. The WAF is therefore a suitable tool for attaining industrial standards as well as fulfilling legal requirements.
The use of a WAF becomes especially relevant in the case of concrete vulnerabilities, for example uncovered via penetration tests or source code reviews. Even if it were possible to fix the vulnerability in the application promptly and with a reasonable amount of effort, the modified version can generally only be deployed at the next maintenance interval, often 2-4 weeks later (patch dilemma). For a WAF with whitelisting, the vulnerability can be fixed promptly (hotfix), so that it cannot be exploited before the next scheduled maintenance. WAFs are especially fast in this aspect, meaning they can collaborate with source code analysis tools, so that detected external vulnerabilities can automatically result in a recommended rule set for the WAF.
A WAF is particularly important in securing productive web applications which themselves in turn consist of multiple components and which cannot be quickly changed by the operator; e.g. in the case of poorly documented applications or regarding third-party products without sufficient maintenance cycles. A WAF is the only option for promptly closing external vulnerabilities.
Perhaps one of the biggest benefits is a result of the cloud architecture itself. a WAF is Easy to set-up with no hardware, software, or tuning required. As a cloud-based service, WAF requires no hardware or software to install and maintain. You can turn on the WAF in seconds, customizing it to meet your needs.