A Web Application Firewall (WAF) is probably one of the most popular preventive and/or detective security controls for web applications today. Garter's Magic Quadrant (MQ) 2015 for Web Application Firewalls estimates that the global WAF market size is as big as $420 million, with 24 percent annual growth.
PCI DSS 3.1 requirement 6.6 suggests WAF deployment as an alternative to vulnerability scanning: "Installing an automated technical solution that detects and prevents web based attacks (for example, a web application firewall) in front of public facing web applications, to continually check all traffic". ISACA's "DevOps Practitioner Considerations" includes WAF into the 10 key security controls companies need to consider as they embrace DevOps to achieve reduced costs and increased agility.
Today, dozens of large and hundreds of midsize companies offer various WAF solutions, usually packaged together with DDoS protection, CDN, ADC and other related offerings. Amazon Web Services (AWS) has recently launched its own WAF service, raising some questions from Gartner.
Gartner predicts that by 2020, more than 60 percent of public web applications will be protected by a WAF. However, in 2015 Gartner had only one vendor listed in its WAF MQ as a Leader (Imperva), and only two vendors listed as Visionaries (DenyAll and Positive Technologies). All other vendors are either Niche Players or Challengers. Many more WAF vendors were simply not present in the MQ for not meeting the inclusion criteria.
Last year, security researcher Mazin Ahmed published a White Paper to demonstrate that XSS protection from almost all popular WAF vendors can be bypassed. XSSPosed (the Open Bug Bounty project) prior to announcing its private and openBug Bounty programs, published new XSS vulnerabilities on the largest websites (including Amazon) almost every day. It was a nice resource to observe how security researchers bypassed almost every WAF mentioned in the Magic Quadrant. The emerging trend of RASP (Runtime Application Self Protection) can also be bypassed using similar techniques as for WAF bypass.
Last week, High-Tech Bridge published research on ModSecurity WAF to demonstrate that a WAF can be used to mitigate even such complicated vulnerabilities as Improper Access Control or Session Fixation. Sadly, but many commercial vendors do not provide even a half of ModSecurity's technical ability and flexibility for virtual patching. However, High-Tech Bridge's research also highlights that ModSecurity OWASP CRS can be also bypassed in default configuration, and that creation of custom rulesets may be very complicated and time-consuming.
So, let's have a look at the main reasons why WAF protection often fail these days:
1. Negligent deployment, lack of skills and different risk mitigation priorities
Many companies simply don't have competent technical personnel to maintain and support WAF configuration on a daily basis. Not surprisingly, they just put their WAF into detection mode (without blocking anything) and don't even care about reading the logs.
Sign up for CIO Asia eNewsletters.