Can Web app firewalls replace baked-in application security?

Discussions

News: Can Web app firewalls replace baked-in application security?

  1. Despite the talent and hard work of today's Java developers, enterprise Web and mobile applications may not be as secure as they should be. More than ever before, Java developers are code ninjas and mobile application magicians. Java applications running on Android phones let us take care of our banking errands, wire money, send and receive emails,  make purchases, keep tabs on our investments, schedule appointments, and even help us keep fit. We can run them just about anywhere. These apps are powerful and easy to use. They connect us to the world in ways that were impossible not so long ago.

    Unfortunately, the developers that work so much power into such small devices may not be the best candidates for making sure that power stays in the right hands. According to Gardner's VP of security research, Ramon Krikken, enterprise application development could stand some improvement. He cites research from WhiteHat Security Inc. that implies it would take the banking industry (one of the most regulated and therefore best secured industries) over thirteen months to patch 90% of the flaws that exist in their applications.

    Krikken suggests mitigating security risks with a Web app firewall (WAF):

    A WAF is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become common in many enterprises, especially those that must comply with the Payment Card Industry Data Security Standard (PCI DSS), which calls for either use of a WAF or frequent application code reviews.

    “I’m usually the last one to recommend – if you have a problem – throwing a piece of technology at it or putting something in front of it and filtering it, because it’s a good idea to build secure applications right from the start,” Krikken said, “but you can’t do that with all applications.”

    “I have an increasing number of customers starting to question whether putting a Web application firewall in front of an application to fix something is all that much worse than fixing the code.”

    What do you think about securing Java Web applications. Is a WAF firewall appliance or add-on security server a valid strategy? Do developers need to bake security into Web applications? Is this potentially a growth area for new Web developers? Leave us a comment to let us know what you think.

     

  2. I've just read The Tangled Web A Guide to Securing Modern Applications each chapter describes how web apps are hopelessly insecurable in the browser. Before that, I read The Basics of Hacking and Penetration Testing which shows that hackers have won the arms race over server security. What I've learned is I could spend more time securing an app than writing it and it would still be vulnerable and that I need a security specialist. I've started reading Apache Security and I'd like Apache httpd to be a web app firewall but that takes specialist knowledge too, default Apache settings are far from secure.

  3. Patching vulnerabilities via a WAF is definitely a viable option. As you state, it’s just not always an option to fix the code. WAF's can be tough to configure. Many of the commercial application scanning tools are able to turn on packaged rules in the WAF and some are able to create custom rules. I’m a security engineer - I just want the code protected. It doesn’t really matter to me if it’s fixed in the code or via a WAF as long as we’re protected. I successfully used NTOSpider/NTODefend to configure Mod Security. 

     

  4. We agree. There are options for easily creating custom WAF and IPS rules. Our solution, NTODefend creates custom rules quickly and easily from NTOSpider’s application scan results. It can also test the WAF to make sure that it’s not blocking good traffic.  http://www.ntobjectives.com/security-software/ntodefend-automated-rule-generation/

    Larry Suto did a pretty comprehensive analysis of using web scanners to quickly configure WAFs and IPS to block web attacks, which is published here. 

    Larry Suto's study - http://www.slideshare.net/lbsuto/analyzing-the-effectivess-of-web-application-firewalls


    Krikken isn’t the only Gartner analyst who agrees. Neil MacDonald from Gartner published a blog titled, “Link Web Application Firewalls to Dynamic Application SecurityTesting Tools” - he said that using WAF’s to protect applications via application security testing tools is a “no brainer.”
    Neil MacDonald's blog - http://blogs.gartner.com/neil_macdonald/2012/01/09/link-web-application-firewalls-to-dynamic-application-securitytesting-tools/

  5. Relying on WAF for web application security problems is a similar concept like throwing more hardware at performance problems. It might cure some symptoms but it doesn't solve the root causes.

    Of course the WAF can provide some additional security - like more hardware can provide more performance. But the application should not be designed with the notion in mind, that there will be a WAF. Otherwise people will start to implement security problems, which a WAF cannot and should not solve, for instance missing application specific input validation, which could lead to authorization problems or to DOS-vulnerabilities.

    As the cited study says: "WAF solutions must be tuned by a trained professional." So it's not  a cheap solution. Alternatively one could invest the money in some design/code principles and reviews, which might additionally help to solve some of the upcoming performance problems.


    A comment to the survey: in the banks I worked it never took more than a couple of days to solve severe security problems.