Introduction

Web Application Firewalls (WAFs) represent the most advanced firewall capabilities in the industry. Traditionally, firewalls had been focused on network layer traffic, but as attacks became more advanced and climbed up the ladder of the Open Systems Interconnection model, a different kind of inspection was needed. A type of inspection that could not only understand and make sense of network traffic but that could also track session state and ultimately make sense of what was taking place at the application layer.

Arguably, most of the complexity and analysis is needed at the app layer due to the large number of protocols and communication formats that are increasing at a rapid rate. Not only do WAFs need to understand the formats and protocol structures at the application layer, but they need to be able to parse the “good” from the “bad” traffic. WAFs can accomplish this type of protection through several means. One such method is signature-based detection in which a known attack signature has been documented and the WAF parses the traffic looking for a pattern match. Another method involves the application of behavior analysis and profiling. Advanced WAFs can conduct a behavioral baseline to construct a profile and look for deviations relative to that profile.

Throughout this book, we cover topics, including the current application threat landscape, types of attacks, the evolution of WAF technologies, and modern deployment architectures. This report will help you to get you up to speed on the latest developments in the space to better understand how you can incorporate and integrate WAF technology with your existing and planned technology deployments, including cloud, on-premises, and hybrid topologies.

Some years ago, attacks on applications and infrastructure were perpetrated by individual hackers in a manual fashion. In an effort to become more efficient and drive more results, malicious operators and organizations have largely automated and industrialized attacks through the use of distributed botnets.

Applications and the way they are developed have gone through significant changes with the advent of cloud deployments, container technologies and microservices. Developers are always interested in reusing other people’s code to the maximum extent possible in order to achieve outcomes and functionality for their respective applications. As such more and more third-party libraries are being used during the application development process than ever before. Attackers are aware of this and are looking to take advantage of vulnerabilities found in commonly used third-party libraries such as OpenSSL, for instance. Essentially, this means that the number of well-known vulnerabilities multiplies exponentially the more they are used in the development process. Many DevOps environments are not yet mature enough to address these vulnerabilities in an automated and repeatable way throughout the application development life cycle. Although it’s ideal to address it at the outset, it’s not always possible due to constant introduction and discovery of new vulnerabilities in those libraries. WAFs and adjacent technologies can help provide gap protection in the form of signature-based and behavior-based identification and blocking, which can help address not only known vulnerabilities and threats, but zero-day threats and vulnerabilities, as well.

This report covers the Open Web Application Security Project (OWASP) Top 10, which outlines the most prevalent vulnerabilities found in applications, and walks through the means of mitigation by way of compensating controls. You will learn about the specifics of WAF functionality as well as emerging functionality and integrations with adjacent security technologies to help you understand where WAFs fit in your overall technology design.

Adjacent WAF technologies and functionality include the following:

• API gateways

• Bot management and mitigation

• Runtime Application Self-Protection (RASP)

• Distributed Denial of Service (DDoS) protection

• Content Delivery Networks (CDNs)

• Data Loss Prevention (DLP)

• Data Masking and Redaction

• Security Information and Event Management (SIEMs)

• Security orchestration and incident response automation

We will address various deployment models, which take the following into consideration:

• On-premises

• In-line reverse proxy

• Transparent proxy/network bridge

• Out of band/port mirroring/Secure Sockets Layer (SSL) termination

• Cloud

• Multitenancy

• Single tenancy

• Software appliance based

• Native cloud

• Hybrid

In the last chapter, I present several use cases and will work through recommended technologies and deployment models based on a given set of business and technical requirements.