Web Application Firewalls (WAFs): What You Need To Know About the Security Checkpoint for Your Web Application

When you’re developing a cloud-native web application, it can feel as if you’re building a kingdom. The success of your application and company depends on a strong and scalable infrastructure, especially if it consists of valuable materials like data, proprietary information, and resources. And if you build it, the hackers and attackers will come.

A recent study from Tigera found that three-quarters of companies surveyed are focusing on the development of cloud-native applications. In the same report, 96% of respondents cited cloud-native application security as one of the biggest challenges they face in building out their capabilities. These numbers are reinforced by a CDNetworks study on web security, stating that web application attacks have risen by 800% as organizations work through the difficulties associated with keeping web apps safe.

So what are some ways you can protect yourself and your organization from these increasingly common attacks? The solution is in a next generation of security checkpoints — Web Application Firewalls, or WAFs.

 

How Web Application Firewalls (WAFs) Work

First, if you’re wondering what a Web Application Firewall is, the answer is straightforward. A web application firewall (WAF) is a form of application firewall that protects a web application from web-based attacks. In other words, it’s the security checkpoint or gatekeeper of traffic going to and from a website or API.

A WAF sits between an application and a client, monitoring and securing inbound and outbound traffic between the application and the internet. It applies rules that allow it to protect against attacks, such as cross-site-scripting, SQL injection, and broken access control, as well as other Open Web Application Security Project (OWASP) Top 10 weaknesses.

WAFs aren’t as old as a medieval fortress, but they did first appear in the late 1990s, and actually predate the rise of cloud infrastructure.

Your web application is just like a walled city. It contains an assortment of valuable materials that you need to protect, and has a two-way road connecting it to the outside world (the internet). The web application firewall is the security checkpoint of your city, stationed on the road at the main entrance. Any new person who wishes to enter is inspected, and a decision is made to either allow or deny access for entry.

The security checkpoint accepts those who meet the security criteria and rejects suspicious or malicious characters. Whenever people leave, the WAF security checkpoint assesses them again to make sure they aren’t taking any of the city’s valuable resources outside without approval. It also stops anyone from leaving — either accidentally or on purpose — with something they shouldn’t be able to take with them.

This is how traditional WAFs operated before the adoption of cloud environments — with only one entry point. However, as companies continue to move applications and data to the cloud, traditional approaches to building and protecting applications are becoming outdated.

You can learn more about how web application firewalls work and the threats they protect against in Episode 4 of What’s That with Prisma Cloud:

 

 

4 Ways to Step Up Web Application Security With WAFs

An organization’s applications were once hosted on a single server in their private data center or network. In other words, their walled city only had one entry and exit point, and its perimeter was well-defined. But attackers will do anything in their power to gain entry (underground tunnel system, anyone?). Threats can now come from all sides to target the web application and its back-end database.

As applications move to cloud platforms like AWS, Azure, and GCP, they become significantly more complex. To make cloud-native applications run securely, developers increasingly break down those applications into microservices with containers and Kubernetes. Another layer of complexity is added when considering that most cloud applications connect and communicate with other web apps through APIs.

The rise of cloud-native has turned the walled city into a complex, inter-connected kingdom. To make things more difficult, the city now has many roads connecting its different neighborhoods to other application cities (APIs) and to the outside world — and they all need to be secured.

Obviously, one security checkpoint isn’t enough anymore. Instead, the city needs a coordinated security force that’s able to identify and secure each access point. This means the legacy WAF (a single, security checkpoint) is no longer sufficient in protecting cloud-native web applications. The coverage needs to be more extensive than traditional WAFs since it needs to protect against potential vulnerabilities, such as those outlined in the OWASP Top 10, advanced DoS, bad bots, access control, and file upload on systems open to the internet.

So what’s the ideal approach to securing cloud-native web applications?

  1. Develop strong discovery processes. Your security solution needs to be able to easily discover all the web apps and API endpoints in your environment.
  2. Ensure your security solution can defend against vulnerabilities, such as those outlined in the OWASP Top 10, advanced DoS, bad bots, access control, file upload, and more on systems that are open to the internet.
  3. Integrate protections and security checkpoints into your application lifecycle to make security a seamless part of the developer workflow.
  4. Implement a solution and modern WAF with a defense that not only provides visibility but also protection of the application during runtime.

Moving applications to the cloud comes with a host of benefits, but it also means the potential for security threats is that much greater. Developers now need to ensure that their WAFs are protecting every endpoint and API associated with their application.

 

Leverage Web Application Firewalls Successfully with Prisma Cloud

As organizations move toward cloud infrastructure and development, they need to make sure they’re also modernizing their security solutions. Otherwise, they risk potentially disastrous security failures. Without a WAF that protects web applications and API endpoints, sensitive data and resources can be vulnerable to a variety of internet-based attacks.

Web application firewalls that can identify all the access points and API endpoints associated with a cloud-native application are crucial to making sure you don’t fall prey to security breaches. But they’re only one piece of the cloud security puzzle. The most successful and secure WAFs are part of all-in-one cloud-native security solutions, allowing their capabilities to work in tandem with a host of other tools within a Cloud-Native Application Protection Platform (CNAPP).

CNAPPs combine the functionality of advanced WAFs that protect applications and APIs with other critical tools, such as IaC scanning, posture management, entitlement management, and CI/CD security. CNAPPs provide developers and security professionals with a single dashboard, allowing them to address their full continuum of needs from development, to build, to deployment to the runtime environment.

With the use of comprehensive security solutions, you can feel safe knowing your cloud is protected against sophisticated threats ahead of time — and your teams are well-equipped to identify and fix critical risks.