The Problem of Badly Configured Web Application Firewalls
Web Application Firewalls (WAFs) have become a critical first line of application defense. Yet configuring and managing them in multi-cloud and on-prem hybrid environments can quickly become overwhelming and risky.
In the worst case, each cloud ends up with its own WAF tools, a recipe for inconsistency. For instance, one person configures a WAF on the private cloud, while another person has responsibility for the public cloud’s native WAF — two different products with different protection and reporting capabilities, maintained as independent security silos.
The complicated case of application protection
When it comes to web application protection, the accelerated pace of DevOps and post-Covid digitalization has only added to this already complex scenario. These market drivers have introduced a wave of innovation and change. Security officers and network engineers are dealing with new architectures, such as microservices containers and Kubernetes. Businesses are reinventing themselves and digitalizing services to cater to evolving customer needs and the new ways in which work gets done.
In many cases, these rapid leaps forward are taken without having the right security expertise in-house and without knowing what the app environment will look like in the near future. Security professionals and network engineers try to keep up but don’t always understand the risks posed by these shifting environments.
One of the resulting problems, which often is not given enough thought and attention, is the feigned sense of security organizations have in their web application firewall and application protection tools. More often than not, we see organizations blindly trusting these security tools completely unaware of attacks that are flying under their radar.
The cost of blind trust
Cyberattacks thrive on inconsistent and fragmented defense. According to the FBI Internet Crime Report 2021, in the U.S. alone the bureau received over 840,000 complaints and reported cyber damages totaling $6.9 billion (see Figure 1).
Applications are one of the biggest targets. The IBM Cost of Data Breach report 2021 revealed that more than 50% of data breaches in 2021 were caused by attacking vulnerabilities at this layer. Other data from IBM shows that data breaches, and stolen records and content can inflict substantial losses to organizations that are estimated at hundreds of thousands of dollars per single hacker attack and an average of $4.24 million for each data breach incident (see Figure 2).
WAFs: A security table stake
Without a doubt, when poorly configured, WAFs can quickly turn into a costly liability. When properly configured, however, WAFs are an effective defense against breaches.
The good news . . . WAFs or web application and API protection (WAAP) have become a security prerequisite for nearly every major organization. Today, there is an overall heightened awareness around security and the need to take measures to protect a business, customers, and user data and records from cyber threats.
The bad news . . . Too often, WAFs are treated as a check-off box to satisfy compliance officers and bureaucrats. This leads companies to use inadequate application protection tools or buy “good enough” WAF or WAAP solutions but fail to configure them properly. In many cases, organizations lack the expertise to balance their security and business needs. They worry that false positives will block legitimate traffic, so they set their WAFs to minimum levels of protection. Many of them even operate them in a non-blocking mode or monitoring mode, effectively defeating their purpose.
Ignorance is not a strategy
Badly configured WAFs or unattended security stacks cause more harm than good. They give organizations a false sense of security, which makes them less attentive to hacks and breaches. In fact, most organizations aren’t tuned into the true reality of their security posture and where they are exposed to risk. Here is why:
- Not all WAFs are created equal – Many WAF solutions don’t provide a solid level of security out of the box. The truth is some of them never will, and some simply require a lot of manual configuration to bring them up to par.
- Not all WAFs are well configured – Many organizations lack the relevant expertise to properly configure a WAF. In some cases, the stakeholder in charge of the WAF might be an experienced IT network engineer with good technical knowledge, but without a broad enough understanding of cybersecurity threats or the organization’s vulnerabilities. As a result, in fear of false positives blocking legitimate traffic, WAFs are set to a minimum and highly vulnerable level of security.
- Most successful application attacks go unnoticed – With DDoS protection, it’s very easy to tell when an organization is under attack and if its service is working correctly. In contrast, successful hacking and non-DDoS bot attacks can go unnoticed for days, weeks, or months since they don’t immediately impact website performance. Consequently, many companies continue to operate completely unaware that they’ve been hacked and that user data has been compromised. In fact, many organizations don’t discover they’ve been breached until they receive a ransom email or when listings of their user data surface on the web. To simply put it – you don’t know what you don’t know.
Warning signs that a WAF is not doing its job
It’s never too early to take a serious inventory of a security infrastructure. If companies find that any of the following scenarios apply to their business, it’s time to revisit their WAF strategy.
- If the application serves more than 1,000 people daily, the organization is most likely being targeted by hackers.
- If the WAF is set to monitor mode only or doesn’t block any traffic, then it is not doing its job and the risk of application attack is high.
- If an organization has not updated its WAF security policies or ran an API discovery for more than 10 days, then their applications are most likely vulnerable.
- Almost 60% of internet traffic is generated by bots, of which half is from bad bots. So, if the WAAP solution is not blocking any bots, then something is not right!
WAF to do’s and not to do’s
If a WAF is going to serve as an effective line of defense for any organization, it is important to keep these rules of the road in mind:
- Don’t use a WAF in monitoring/learning mode only.
- Train in-house security experts on the application protection products in your security stack and adopt routine workflows. Don’t apply a set-and-forget mentality. Things change too fast. Organizations must constantly look at reports and analyses.
- If an organization doesn’t have the appropriate in-house security knowledge and expertise, use application protection solutions that offer managed services. This will save a lot of resources on hiring, training, and financing security professionals in house.
- Never trust the security products that are in place, even if they appear to be effective. Run penetration tests and vulnerability analyses every year.
- If something doesn’t seem right with traffic performance, then something is probably not right.
- Avoid using multiple application protection solutions across different environments. Instead, search for a single end-to-end solution that offers a consistent level of security, control, and visibility across the entire network.
To better understand the security risks exposing your enterprise to data breaches and financial loss Radware offers a FREE application vulnerability analysis. Radware’s Application Vulnerability Analyzer leverages server logs from your website to unearth potential security risks that could impact your organization. It uses an array of Radware algorithms and analytic tools to identify vulnerabilities, misconfigurations, and more. Click here to get a free analysis!