Website protection is a top priority, particularly for organizations that rely on web assets directly for revenue. For most of those organizations, a WAF is the tool of choice to protect web assets. However, there are several common misconceptions about what a WAF can and can’t do. And, given the potential consequences of a successful cyberattack, the price of overconfidence can be high.
This article will explain what a WAF is, how it protects web applications and websites, and which threats it can and can’t protect against.
A Web Application Firewall (WAF) sits between a website or web application and the Internet and protects it by monitoring and filtering traffic. This happens in one of three ways:
When working correctly, WAFs monitor all incoming traffic and filter anything that could be a threat.
An estimated 30,000 web applications and websites are hacked every day, primarily to steal sensitive information. Given that data breaches cost European organizations between $3.9 – $4.5 million on average, it’s no surprise attacks against web assets are considered a top threat faced by today’s organizations.
WAFs boost web application and website protection by blocking attacks that target the application layer — that’s OSI layer 7. Common attacks include SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Since cloud WAFs filter traffic before it reaches the server, they can also mitigate DDoS attacks that target the application layer.
If you’re thinking, “shouldn’t websites be resistant to these attacks already if they’re coded securely?” — you’re partly right. Secure coding practices, code reviews, and penetration testing are all essential security precautions that help prevent cyber incidents and data breaches. However, it’s not reasonable to expect a web asset to be completely secure against all threats.
There will always be new vulnerabilities and threats that can’t be anticipated. Even the best engineering workflows can’t find every bug, especially in the modern world of rapid DevOps pipelines. For these reasons, a WAF is a critical component of any cybersecurity program.
While WAFs add a lot of value to a security program, they are often misunderstood. Some organizations purchase a WAF expecting it to protect their web assets against all attacks… and that simply isn’t realistic.
WAFs protect against application-layer attacks. However, there are numerous ways to attack a web asset that take a more indirect approach. The most obvious example is Distributed Denial of Service (DDoS) attacks, which disrupt web assets by overwhelming their underlying infrastructure. WAFs are ineffective against DDoS attacks, so it’s essential to have DDoS protection in place as well.
Most WAFs also can’t protect against malicious bots. While some bots use direct attacks (the type WAFs are designed to identify and block), many instead abuse legitimate business logic. WAFs simply aren’t designed to identify this type of malicious behavior — which is why bot management software is also critical for web application and website protection.
To find out more about how Link11’s Zero Touch WAF can protect your web assets, visit our website.