For over ten years, web application firewalls have watched over the quality of web traffic. And with the recent surge of attacks against web applications, they have even become a key component of enterprise security. This is especially true with the migration of many web applications over to the Cloud. However, considering the growing number of attacks regularly reported by the press, we can only wonder how relevant and effective these defences may be.
As enterprises turn out to be more and more reliant on web applications to run their businesses, app uptime and reliability have become key critical success factors. But every business stakeholder can and should contribute to reach these objectives. Whether they are Network IT managers, security officers, production managers, auditors, developers… they all have a role to play in defining and implementing these enterprise security policies.
This is the reason why business data security should never come down to a single product, a single person or even a single place. Let’s drill down into each of these assertions:
Not a single product: - Let's face the truth, no single product will ever be the “silver bullet” protecting every web application out of the box. Securing such applications means implementing a corporate process fully leveraging internal development capabilities, analytics and security tools. In any case, the involvement of app designers will be critical to provide relevant input and insights about inner workings and associated risks with each application.
Not a single person: - Unlike networks equipment which are exclusively managed by IT specialists, WAF requires input from many different job profiles across the enterprise. It involves security experts, but also production, sales & marketing, auditing, etc... Every one of them must have access to an adequate component of the solution that fits their responsibilities and ensures the security, continuity of service and traceability of their applications.
Whether they are contributors or consumers of information, every app decision maker should be able to interact with their relevant product capabilities. This includes the opening of a profile-based dedicated Admin interface, with customized supervision, security alert analytics or access to the activity of a user to suspicious behavior.
Not a single place: - Web application security is now a well-debated topic, but it is clear that how it is being applied within enterprises do not necessarily matches with the scale of attacks. The web application firewall has long been described as a complement to network firewalls and positioned behind public DMZ. But what happens to web streams that bypass the DMZ, like some mobile connectivity, intranet accesses, web services and others?
Web Application Security will only be effective if it moves beyond being just an expert tool for expert users. It must evolve into a collaborative effort of every business owner in the enterprise coming together to define these security policies with their own competencies and capabilities. The challenge for vendors will be no longer to provide increasingly sophisticated products, but rather to rethink how application security can be implemented and customized by the each business stakeholder. Rather than forcing customers to adhere to their purely technology-driven approaches, security vendors will have to integrate their offerings into existing enterprise business processes.
The relevance of a Web Application Firewall is not debatable, but its implementation and administration need to be reinvented if we want to improve its effectiveness.