2. Deployment only for compliance purposes
Midsize and small companies frequently install WAFs just to satisfy a compliance requirement. They don't really care about practical security, and obviously won't care about maintaining their WAF.
3. Complicated diversity of constantly evolving web applications
Today almost every company uses in-house or customized web applications, developed in different programming languages, frameworks and platforms. It's still common to see CGI scripts from the 90s in pair with complex AJAX web applications using third-party APIs and web services in the cloud. Moreover, web developers need to update their web applications almost every day to meet business requirements. Obviously, such a dynamic and diverse environment can hardly be protected even by the best WAF and the most competent engineers.
4. Business priorities domination over cybersecurity
It's almost unavoidable that your WAF will cause some false-positives by blocking legitimate website visitors. Usually, after the first complaint to the management from an unhappy customer who could not pay for the service and left for a competitor, WAF is being definitely moved into detection-only mode (at least until the next QSA audit).
5. Inability to protect against advanced web attacks
By design, a WAF cannot mitigate unknown application logic vulnerabilities, or vulnerabilities that require a thorough understanding of application's business logic. Few innovators try to use an incremental ruleset hardening in pair with IP reputation, machine learning and behavioral white-listing to defend against such vulnerabilities. However, they need to pass complicated learning cycles that take quite a lot of time, and are not yet reliable enough.
A Web Application Firewall remains a pretty complicated security control to deploy and maintain within an organization.
However, a WAF remains probably the only preventive security control for web applications, significantly reducing the risks of web vulnerabilities exploitation. A properly configured WAF can prevent simple vectors of the most common web vulnerabilities (such as XSS and SQL injections), even in very dynamic and complicated environments. Moreover, if for a reason it's impossible to patch the vulnerable web application source code or apply vendor's patch, virtual patching via WAF can be a life-saver.
Nevertheless, in no case should a WAF be considered a panacea against web attacks, and shall always be completed by other security controls, such as Vulnerability Scanning, Developer Security Training and Continuous Monitoring, assuggested by ISACA.
Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: "As of today, we can say that cyberattacks have become the new normality in our today's digitally connected world. There is no 'magic bullet' for effective cybersecurity, it's a journey which is starting with the identification of your key risks and your crown jewels (i.e. client data, intellectual property, etc) and then to find the right mix between technologies, processes, and people measures."
Being insufficient to properly mitigate complicated security flaws in modern web applications, a Web Application Firewall still remains a necessary security control within organizations.
Sign up for CIO Asia eNewsletters.