Monday, June 25, 2012

Application Owner vs Information Security fun#2 - on Web Application Firewall

I presume most of us as a security pro have heard of Web Application Firewall (WAF). It is not a new technology, but only few enterprises have seen the benefit and have the technology implemented within their infrastructure. I hope this story could shed more light on the benefit of having one and assist you in expediting your decision making process in getting a WAF :)

Information Security lad:  During our security review, we noticed that you have decided not to include WAF as an additional protection layer for your web application. Although it is not a mandatory policy in our company, we strongly suggest to have your web application protected by WAF, as your web application is internet facing and will be handling important e-commerce transactions. Moreover, as you are offering 99.99% availability to your customer, you may want to have extra layer of protection to support this commitment. New attacks could be easily mitigated by the WAF as its signatures are updated on daily basis. I do know that our IT Supplier has a very good WAF team there.

Application Owner dude: Thank you for your suggestion... I don't see the need of it right now. We already have multiple layer of protections in place. We have firewall and Intrusion Prevention System (IPS) in front of the web application. Furthermore, we have done security assessment and pen-test during our application development cycle and we have got a clean bill of health there. I believe your team did some security tests as well and found no weaknesses. The application is just robust.... Anyway, I don't really have extra budget....

Information Security lad: Well... if you insist and understand the risk, we won't stand in your way. We will approve this RFC.

5 months later.....

Information Security lad: We received an emergency incident ticket indicating your web application is being attacked and part of the modules was hacked....

Application Owner dude: Unfortunately yes, we are aware of that and doing everything we can to stop the attack. Our challenges here are that, firstly we have to wait for the vendor to issue a patch. Secondly, we have to bring down the system to install the patch. Getting that unscheduled downtime to install the patch will be a huge problem because of the SLA.... We already know the attack vector the attacker used.. only if we can stop this attack vector somewhere.. I've checked with the IPS guy but unfortunately, the IPS is not built for that purpose, so does the firewall... I don't get it. I thought we had everything covered with all that security assessment we performed and all these security devices in place....

Information Security lad: Well... all it not lost yet. Remember the WAF thingy we told you before? I believe the WAF guy can configure the WAF to cover your web application quickly without having to bring down the service. I know they have very good experience in managing that WAF. They certainly can specifically block that attack vector as well. This will act as a "virtual patch" and buy you some times until your vendor issued an official patch. It will also solve the unscheduled downtime issue as you can now install the patch during normal maintenance windows instead as the WAF will mitigate the attack.

Application Owner dude: Good idea.. let's do it! <* I should have listened them earlier... *> . We should make WAF a mandatory policy!

Information Security lad:We want to.. just that we need more support from application owner like you to help us push the way .... :)

Moral of the story?
1. Traditional firewall (stateful inspection) and Network Intrusion Prevention System only provide network level and service level protection. They are not effective in handling application layer attacks. At this moment, the best job for application layer protection is Web Application Firewall. 
2. Always think Defense in Depth if you have critical business asset to protect.

Ain't security fun? ;) 

Acknowledgement - picture taken from

No comments:

Post a Comment