Recent WhiteHat Website Security and Verizon Data Breach Investigation reports offer convincing evidence that Web applications remain the primary targets for attackers. WhiteHat reports that cross-site scripting, data leakage, and content spoofing are the most common attacks. Verizon notes that 98 percent of all data breached was gathered off servers and Web applications.
Both reports cite many causes, but the two that pose big challenges for IT are: 1) keeping servers, applications, and databases configured to prevent unauthorized access and leakage, and 2) dealing with a publication "pace" that does not provide IT sufficient time to test and validate new content. Even the best IT Web teams are forced to publish new pages, scripts, and active content on the assumption that new content does not introduce new vulnerabilities. Incident statistics suggest that the contrary is true.
There is no "Easy Button" you can push to mitigate these causes. Ensuring that every element of a Website is configured securely is hard, especially for sites containing considerable amounts of dynamic content. If this unhappy scenario applies to your organization, consider whether a measure you probably take to protect your networks from external attacks -- a firewall -- can protect your Web applications, data, and servers against unauthorized access and misuse.
Web application firewalls are not a substitute for hardening your Website, but they can offer an additional layer of defense against application and data attacks. Like Internet firewalls, they are configured with a set of rules (access controls) that enforce a security policy. An Internet firewall examines network traffic, so it blocks unauthorized, malformed, suspicious, or known malicious traffic and allows (forwards) authorized application messages to appropriate applications or servers.
In contrast, a Web application firewall examines application message protocols (HTTP/HTTPS, FTP, IM, VoIP, etc.) as well as data that's submitted via Web forms or returned in responses (HTML, XML, virtually any MIME type). The value proposition of a Web application firewall is simple. If you aren't confident that your defenses against databases (SQL insertion), code injection, login attacks, and cross-site scripting are rock-solid at each of your Web servers, defend them all at a single enforcement point.
If this approach sounds attractive, determine what you'll expect a Web application firewall to do in your multi-layered defense. Your security policies should give a 100,000-foot view of how a Web application firewall might help. Your IT or Web team can identify your application mix, markup and scripting languages, and databases. A review of your organization's Web presence goals will help you define who may access Web apps or data, from where, what the intended input is for input forms, and what the intended output is for each hyperlink. These will all be relevant as you research Web application firewalls and discuss your needs with vendors.
In my next column, I'll suggest questions to ask prospective Web application firewall vendors that will help you make an informed purchasing choice.