Web Application Firewalls, or WAFs, are a key component of modern web security. According to Verizon’s 2020 Data Breach Incident Report, over 80% of attacks last year targeted web applications–an unsurprising statistic given the ever-increasing size of modern applications’ attack surface. However, not all WAFs are created equal. As both cyber attacks and web applications become more and more complex, WAFs must use increasingly sophisticated techniques to secure applications–and to ensure that protection does not come at the expense of performance.
This post will inform readers on what to look for in a WAF by discussing what a WAF is, the difference between signature-based and scoring-based WAFs, the need for real-time threat intelligence and protection against zero-day attacks, and how signature-based vs. scoring-based WAFs compare in addressing these threats.
What is a WAF?
WAFs provide protection for web applications by filtering HTTP traffic to block malicious requests and protect against OWASP and other threats. As Gartner notes in its 2020 Magic Quadrant for Web Application Firewalls, “WAFs are deployed to protect web applications against external and internal attacks, monitor and verify access to web applications, and collect access logs for compliance/auditing and analytics.”  In addition, industries that deal with payment information and other sensitive data rely on WAFs to meet different industry compliance requirements, such as PCI Security Standards.
What kind of threats do WAFs guard against?
Perhaps the most important use case for a WAF is to secure applications from OWASP Top 10 vulnerabilities. On their website, OWASP, or the Open Web Application Security Project, describes their Top 10 list as “a standard awareness document for developers and web application security [that] represents a broad consensus about the most critical security risks to web applications.”
These threats include vulnerabilities that can lead to specific types of attacks, such as Injections or Cross-Site Scripting, as well as practices, such as Broken Access Controls and Insufficient Logging and Monitoring, that can be exploited to access and manipulate data.
Other OWASP Top 10 Risks include:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Security Misconfiguration
- Insecure Deserialization
- Using Components with Known Vulnerabilities
In addition, more advanced WAFs may extend beyond OWASP protection to secure different attack vectors like API-based attacks and guard against emerging and zero-day threats.
One of the key difficulties in cybersecurity is addressing threats that are not yet known to cybersecurity experts, often referred to as zero-day attacks. Without protections in place to prevent these threats, time is on the side of attackers as security teams race to patch vulnerabilities and secure applications. Meanwhile, as noted by the digital security magazine CSO, “The more time an attacker has within an environment the more access they can get to different devices, different pieces of data, different accounts, and all of those that are things that we need to remove their access and limit their impact moving forward.”
As a result, real-time threat intelligence and the ability to guard against emerging and zero-day attacks is crucial to an application’s security.
How do signature-based and scoring-based WAFs work?
While all WAFs are designed to filter out malicious traffic, their methods for securing applications differ. Whereas signature-based WAFs rely on lists of known attack patterns, or signatures, to avoid known threats, scoring-based WAFs use lean rule sets to identify both known and unknown threats and block them according to desired sensitivity levels.
Signature-based WAFs leverage data about previous attacks to filter out traffic that match known attack patterns. Each time a new attack is detected, security vendors create a signature made up of components of the attack pattern. The signature is then added to the WAF, which will compare the signature against each new request and either block or generate an alert for any requests that match the signature.
As a result, signature-based WAFs must be constantly updated to maintain their relevance. These updates result in thousands of signatures, which must be compared for each new request, resulting in intensive resource use and diminished performance as requests are processed.
- use negative security models that admit access by default
- only block known attack patterns
- must be constantly updated as new patterns emerge
- can significantly contribute to latency and resource use
In addition, signature-based WAFs can return a high incident of false negatives due to their use of negative security models, which allow access by default unless an attempt adheres to the WAF’s predefined definitions of malicious behavior. As a result, applications are vulnerable to emerging threats like zero-day attacks, as well as hackers who can easily manipulate known strings or expression patterns to gain a foothold into applications.
A survey of threat intelligence conducted by the computer and security journal Elsevier echoed this concern, noting that traditional WAF and other security measures which rely “heavily on static malware signature-based or list-based pattern matching technology” leave digital assets “extremely vulnerable to ever evolving threats that exploit unknown and zero-day vulnerabilities.
Although signature-based security policies have long been the traditional practice used by firewalls and antivirus programs, modern WAFs have been developed to avoid the performance and usage issues inherent in signature lists by replacing them with intelligent rule sets. These rules rely on algorithms to analyze the syntax of numerous attack patterns which are condensed into a lean, performant set of rules, such as the SQL dictionary operators for injection attacks, and assign a score or number of points when those rules are met–in this case, words like UNION, INSERT, or TABLE would all increase a request’s score. If the request scores above a certain threshold—which can be adjusted for desired sensitivity—it will be blocked.
As a result, scoring WAFs minimize resource use and avoid the latency issues of signature-based methods. In addition, scoring WAFs can be used to block variations on attack patterns before they are exploited by hackers. With the negative security model used by signature-based WAFs, requests are presumed safe until proven otherwise; scoring-based WAFs incorporate positive-security methods, which block by default any requests above a certain threshold. This enables zero-day and emerging threats to be blocked even before an attack signature is known and recorded.
- condense attack patterns into lean, performant rules
- define both negative and positive behaviors to enhance security
- require less resources and processing time than signature-based WAFs
- guard against zero-day and emerging attacks
- require less manual updating of policies, resulting in cost savings on SecOps
Choosing a WAF partner
Gartner provides guidelines on what features make WAFs most effective in blocking today’s complex cybersecurity threats.  It recommends WAFs that:
- Maximize detection and blocking of known and emerging threats
- Minimize false positives and adapt to web apps as they evolve
- Can distinguish bots from human users and apply appropriate policies for both
- Are easy to use and minimize impact on app performance
- Protect public-facing, partner-facing, and internal web apps and APIs
Azion’s Web Application Firewall is an easy-to-use solution designed to deliver security at the edge, while ensuring the high-performance needed for edge-native applications. Rather than relying on negative security strategies that leave companies vulnerable to zero-day and emerging threats, Azion’s Web Application Firewall uses a scoring-based system and integrates with analytic solutions from Azion as well as third-party SIEM and Big Data solutions to provide real-time insight into threats.
Azion’s Web Application Firewall enables:
- protection against OWASP Top 10 Threats
- customization to meet various compliance requirements
- real-time monitoring of security threats through Edge Analytics
- zero-trust security through whitelisting and a positive security model
- virtual patching to minimize the need for custom code changes
To avoid false positives and false negatives, Azion WAF allows for custom rules and policies with granular control over sensitivity by each threat protection category. Furthermore, Azion’s programmatic WAF allows for automated rule creation and updates using elegant, prebuilt APIs and Edge Firewall Rules Engine. Rule updates and virtual patches can be deployed effortlessly at the edge using Azion Edge Functions, decreasing friction between developers and security teams and enabling CI/CD.
Expand application security through Azion products
For added security, Azion’s Web Application Firewall can be extended through other Azion solutions, such as:
- DDoS Protection: mitigate complex network- and application-layer DDoS attacks
- Network Layer Protection: create a programmable security perimeter around content, applications, and origin infrastructure
- Edge Functions: build and run event-driven functions at the edge of the network
- Azion Marketplace: seamlessly integrate third-party security solutions
Azion’s security suite covers the network layer to the application as well as serverless code deployed on the edge. With our serverless solution, Edge Functions, developers can create custom functions or take advantage of pre-built functions like Azion JWT, which protect access to APIs. In addition, customers can build out their edge security capabilities through Azion Marketplace, which enables the seamless integration of third-party solutions, such as Radware’s Bot Manager.
 D’Hoinne, J., Hils, A., Kaur, R., & Watts, J. (2020). Magic Quadrant for Web Application Firewalls (pp. 1-3, Rep.). N.p., N.p.: Gartner.