Freely subscribe to our NEWSLETTER

Although the Web is a major business facilitator in terms of organisation, communication, company image and sales, its integration remains tricky and applications are required to comply with increasingly strict guidelines:
 the capacity to change and adapt (for application and/or content agility)
 high avaliability (clustering/grid/cloud, backup/restore,etc.)
 security (of data, client/server applications, services).

Within the regulatory landscape, PCI-DSS recommendations are based on technical approaches, and compliance is obtained by adhering to best security practices, which in turn require both technical and organisational solutions such as the regular monitoring of configurations. In the case of security requirements, three technical approaches are prescribed:
 code review (outsourced or home-based)
 pentesting (system penetration tests, usually outsourced)
 Web application firewall

Code assessment is a methodical and precise approach, where each and every application service has to be tested and analyzed for flaw detection. While the procedure can be systematic, it necessitates ongoing effort (defeating the dynamism expected from a Web application) and expert involvement (security and application expertise).

Furthermore, because assessment is carried out using a piecemeal approach, whereby each Web Service is separately analyzed, it is difficult to achieve a holistic view of the security of an application. If we look at the example of a simple file upload Web Service, which carries out a content check on the uploaded document, it is possible for the Web Service to be pronounced secure after a code audit is performed. Not so the application itself. If several similar services exist, the application server becomes susceptible to DOS (Denial of Service) attacks if a user requests multiple processings at the same time. Only a global view of the application can throw light on security issues.

Penetration tests on the other hand deploy a cohesive approach. Using either black-box (unfamiliar application) or white-box (known application) techniques, penetration tests are run from a macroscopic perspective. The flaws that affect several application modules are tested. For instance, to detect an XSS flaw, fraudulent Javascript will be inserted in a sign-up form, and its activation will be tested on all pages of the application (seemingly harmless pages for the most part) that display the entry data.

Code reviews and pentests diverge in their management of application security and knowledge. WAF technology not only improves security policies by overcoming the shortcomings linked to the two previous approaches but also introduces new features. Transparent and continuous evaluation of application traffic enables the WAF to automatically consolidate its security policy by assimilating how the application functions. Running throughout the Web application lifecycle from the development stage to production, WAF learning mechanics respect the need for agility while avoiding the high level of investment imposed by code reviews and pentests.

Ultimately, a WAF is capable of uncovering fraudulent use of parameters (XSS, XSRF, SQL injection, parameter tampering, etc.) without specific knowledge of an application. However this fine-grained approach can sometimes be fragmentary. From a more macroscopic perspective, a WAF can detect pairs (key + value) and apply a security policy to them based on statistical data collected during the learning process. For example, the « id » parameter can be set as a positive integer from 1 to N for the entire application or for a given Web Service.

Widening the WAF perspective further allows it to identify different uses of a Web script and apply a strict security policy to it. For example, a user account administration script can serve to add, modify or delete an account. It can be a single script that behaves differently when faced with varying entry parameters. A WAF will be able to determine each entry type and establish a security policy corresponding to each use. A new user account with a predetermined login would thus be regarded as an attempt to usurp identity, whereas account modification or deletion with no given login would be treated as an error.

In conclusion, using a WAF enables the setting up of an efficient and flexible security policy, but this is not its sole benefit. Where code reviews and pentests serve to highlight application vulnerabilities, a WAF provides interim remediation (virtual patching for the application or service) until a new and corrected version is released. More than just a passive tool, a WAF plays an integral role in the active security of an application.