Address: Level 26,Fortune Financial Center,No.5 Dongsanhuanzhong Rd,Chaoyang District,Beijing
Contact: Wang He
Web Application Firewall: You must have or be phased out?
Gartner's 2015 Magic Quadrant estimates, global Web application firewall (WAF) market valuation of $ 420 million, an increase of 24%, WAF has become the most popular Web application of preventive and detection of security controls.
You must have
Today, many medium-sized companies offer a variety of WAF solutions, usually packaged DDoS protection, content distribution network (CDN), Application Delivery Controller (ADC) and other related services provided together. Amazon Web Services (AWS) has recently launched its own WAF.
Gartner predicts that by 2020, more than 60 percent of public Web applications will WAF protection. However, in 2015, Gartner only one vendor Imperva As the industry leader, the two companies DenyAll and Positive Technologies as visionaries, included WAF Magic Quadrant diagram. All other manufacturers, either as a specific area by, or is the challenger. More WAF vendors did not meet inclusion criteria because, did not even show his face in the Magic Quadrant diagram.
The question is
Information security company High-Tech Bridge, recently released a study on the white label of the open source WAF ModSecurity called, showing the WAF can be used to repair such as improper access control or session fixation This complex vulnerability.
Unfortunately, many commercial vendors can not even provide half ModSecurity technical capacity and flexibility to implement virtual patch.
However, the High-Tech Bridge's study also pointed out that, ModSecurity Open Web Application Security (OWASP) Core Rule Set (CRS), in the default configuration can also be bypassed, and create custom rule sets can be very complicated and time consuming.
Difficult to replace
Deploy and maintain a WAF in the enterprise remains a very complex safety control measures. But WAF Web applications may also be the only preventive security control, can significantly reduce the risk of Web exploits. A well-configured WAF, even in very dynamic and complex environment, but also protects against the most common live Web exploits (such as XSS and SQL injection). Also, if for some reason was unable to repair the vulnerabilities of Web application source code, or you can not apply vendor patches published, WAF virtual patch can also act as a straw.
Nevertheless, it can not respond to Web attacks WAF as a panacea, it should always be complemented by other security controls, such as vulnerability scanning, developer security training, and continuous monitoring.
In today's interconnected digital world, cyber attacks have become the new normal. No so-called magic bullet, but there is no cure silver bullet. Network security is a journey, starting at identifying key risks and important asset, and then between technology, processes and people manage to find the right combination.
Finally, although not enough to cope with the complexity of modern Web application security vulnerabilities, WAF is still the company's internal controls necessary security measures.