Over the past two editions, we outlined how vital it is to provide a robust security posture for one’s web server and the various options currently available. In today’s concluding installment, we take a long, hard look at applications.
For instance, that application you’re currently using? More than likely, it was not developed with security in mind. No matter how much we discuss the topic and we talk about security driven application development, how many people and companies really even know how to do that? How many developers test their applications from a security stand point?
And what if the application in question is old, a legacy development that was written 10 years ago? Developers have moved on, documentation is scarce, if present at all, and yet the application plays a vital in your company’s business.
Updating the tools it relies upon isn’t even a question – the application will break. Fixing the applications issues may well be even harder and often unfeasible. The entire construct is a vulnerability disaster waiting to happen. This is likely the most important example of where a WAF can be very useful.
A WAF will have a configurable layer where a business owner, or vendor can create specific signatures. Therefore, instead of breaking the application, or living with one that is vulnerable and can expose confidential data, a WAF allows for the creation of customized protection, if you like, dedicated signatures tailored to very specific applications. This allows organizations to achieve strong protection for their web applications without the need to alter functionalities, and without having to fuss over updating them in a rush.
Note that we are not advocating running that old COBOL application for the next 40 years. And yes, sooner rather than later, we’d be better off scraping everything and rewriting applications with more advanced tools. But the adoption of a WAF ensures that process to be just that – a process – instead of a frenzied decision dictated by the need to cover up security holes.
We hope that you’ve found this series (parts 1 and 2) on why you need a Web Application Firewall (or WAF) informative and useful. Today’s threat landscape being this dynamic and fast-paced, organisations that fail to adequately arm themselves do so at great (financial and operational) risk.