Content Copyright © 2023 Bloor. All Rights Reserved.
Also posted on: Bloor blogs
Web application firewalls (WAFs) are extremely important for any organisation with a web presence, which the vast majority of organisations have. Their importance is also growing and will continue to do so.
Web applications are a major threat vector and are a magnet for attackers. According to the Data Breach Investigations Report 2023 report from Verizon, of the web application compromises seen in the past year, data disclosure occurred in 94% of them. In 95% of attacks, the motivation behind the attacks was financial, looking to gain access to valuable data for their own gain. The consequences can be dire for any organisation that is hit in terms of reputational and financial damage.
Prime use cases
According to Fortra, which has recently made their managed WAF service available to all organisations after 11 years of success delivering managed WAF exclusively to its MDR customers, there are a number of prime use cases for WAFs.
The primary use case for any WAF is to detect and block attacks targeting known and zero-day, or unknown, vulnerabilities, keeping the protected applications and data safeguarded. Fortra’s WAF has proven success in threat prevention and has additional capabilities for solving other application challenges and use cases.
The first one that it highlights is bot management. A bot is defined as an autonomous program that can interact with systems or users over networks. Bots can be either good or bad. Good bots are helpful for websites and users, such as Googlebot and Bingbot for search engine optimisation or an authorised vulnerability scanner that highlights exposures that can be mitigated. Bad bots can be extremely detrimental, being used to scrape or download content from a website, spread malicious content and steal user credentials, which is a key problem in web application attacks. A WAF is useful in determining between the two, being able to recognise malicious, undesirable, or unexpected bot activity and blocking it.
Another use case is API security. The use of APIs has exploded, enabling one piece of software to interact with another so that web applications can function properly. APIs are central to web application security, but the growth in their use has seen them become a clear target for attackers looking to exploit vulnerabilities in order to gain access to sensitive data and systems. A WAF can protect against exploits that look to gain access to sensitive data or otherwise impact an organisation’s operations. They do this by inspecting traffic in real time to identify and block nefarious behaviour and both known and unknown threats.
A third major use case is that a WAF can help guard against DDoS attacks that look to cripple networks. Many such attacks are aimed at APIs, looking to overwhelm and halt services.
The next imperative for using WAFs
The usefulness of WAFs in the use cases described makes them ideal for any organisation that has a web presence. But the need for using WAFs is about to get stronger. The Payment Card Industry Data Security Standard (PCI DSS) 4.0 version is forthcoming. Any organisation that accepts, processes and stores payment card and associated information must be in compliance with its requirements.
Version 4.0 was published in March 2022 and contains many new requirements and strengthens others. The previous version is being retired as of April 2024, when organisations are expected to adopt version 4.0, when the majority of its requirements become mandatory. The remaining requirements will be considered to be best practices until they become mandatory from April 2025.
One of the new requirements is that any organisation subject to PCI DSS is that use of a WAF will become mandatory as of April 2025, although it will be considered to be best practice as of April 2024 and organisations will be under pressure from partners and customers to prove compliance. As a key tool for preventing and stopping web application attacks, organisations should make this a top priority. With some 60 new requirements in version 4.0, it will be time consuming to implement all the needed controls. It is best to plan for a WAF implementation now to ensure the organisation is protected.
WAF technology is known to be complex to implement and time consuming and costly to manage. For some organisations, this may still be what they consider to be their best option, but managed WAF services will prove to be a more viable alternative for many. Easy to set up, they are managed by an expert third party, putting them within the reach of many resource-strapped organisations. This is especially true considering how many new requirements they have to deal with.
WAFs are key for prevention and protection and for achieving data security goals. They can guard organisations against many of the web application threats that they face. But their use is soon to become mandatory for those subject to PCI DSS 4.0. Given the benefits that they offer, organisations should begin planning their implementation today.