Web Application Firewalls (WAF) are one of the most prevalent defenses of a web platform. Despite WAF’s popularity, application developers and the security community (including Gartner, a leading consulting firm) are recommending to complement WAF investments with a more targeted approach.
But why one of the most favored application security technologies is falling out of limelight?
1. False positives
False positives block legitimate app traffic which results in poor user experience. That’s why many of the production WAF deployments are set in passive mode and not in active mode (also known as blocking mode.)
There are many reasons behind WAF’s false positives, but the three main drivers are:
- Blacklist rule usage: this is the oldest protection approach. Blacklist rules are implemented by regular expressions that try to identify attacks. However, the rules do not really understand the request payload. As a result, blacklist rules sometimes block legitimate requests. At the same time, attackers can often circumvent blacklist rules.
- “All input data may be an exploit” doctrine: since a WAF does not know whether or not the application is truly exploitable, it needs to actively validate all input data, and block the suspicious requests early on, before reaching the application itself.
- Application updates: WAF implementations based on learning processes build a set of rules that apply to a particular release of the application. When the application changes, these rules are no longer applicable and therefore, they trigger false positives.
2. Limited protection
WAFs watch the app traffic in&out the app from the exterior. They lack proper app visibility inside the application runtime. As a result, WAFs are not able to determine whether the application is actually vulnerable to exploits. Moreover, certain risks such as insecure deserialization that are only visible from the applications can’t be protected by applying an input validation approach.
In addition, the validation techniques implemented by WAFs through learning processes present important limitations because they are only focused on data type-based validations. These techniques are not able to detect business logic attacks that respect the data type (integer, string etc.), but alter the value of the parameter.
3. Complex maintenance
The typical WAF installation project takes weeks to be up & running, which combined with the required maintenance activities, puts a significant strain on the operations team. Often, WAF management requires dedicated headcount.
4. Adaptability to new web standards
According to Gartner WAF Magic Quadrant (2018 edition) many WAF vendors struggle to catch up with new web architecture standards. New development approaches such as client-side MVC and REST APIs break the traditional web architecture (server-side MVC.) These approaches make almost impossible to understand the logic behind each piece of data when the data is observed outside the application context.
5. Portability and cloud support
Security should not be dependent on the deployment conditions of apps. As flexible deployment environments gain popularity, incorporating security controls to the deployment infrastructure is not considered a best practice anymore.
6. Lack of DevSecOps support
WAFs are not very useful for developers and architects, as WAFs only provide perimeter protection and they are used only in production environments. When apps change frequently, such as in Continuous Integration / Continuous Delivery workflows, WAF learning and updating activities introduce delays which result in slower time-to-market.
Circumventing the WAF challenges: Runtime Application Self Protection (RASP) approach:
According to Gartner, the web application firewall market is ripe for disruption in 2018 (Gartner Market Trends, G00331221, 12 December 2017). Furthermore, Gartner recommends WAF users to consider newer technologies such as RASPs to solve the limitations that WAFs present due to their stagnant innovation. In particular, we believe a RASP provides the following key improvements over WAFs:
1. Mitigation of false positives
Contrary to WAF’s external view of the app traffic, RASPs leverage their privileged position inside the application to understand when and how a vulnerability is exploitable. This visibility allows RASPs to better detect exploit attacks by conducting innovative payload analysis techniques such as grammatical analysis. This improved approach improves the validation performance and reduces exponentially the probability of false positives.
2. Broader protection
At the same time, RASPs take advantage of their position inside the application to understand the flow of the application logic. As a result, RASPs provide innovative positive validation techniques against non-exploit based attacks such as access control, abuse, binding, etc.
3. Easier maintenance
RASPs are easier to maintain than WAFs because the advanced exploit protection techniques described above (real time protection systems) do not require complex learning processes that must be repeated every time that the application changes.
4. Adaptability to new standards
As mentioned above, RASPs are integrated as part of the app. This allows a very deep understanding of the meaning of each piece of data. RASPs see the flow of the data through the various layers of the application. This approach is independent of the response format (such as JSON vs. HTML) and the architecture of the application.
5. Portability and cloud support
The elements that conform a RASP platform are part of the application itself (sometimes, as part of the container.) As a result, the security is integrated within the application and it remains protected wherever it goes.
6. DevSecOps support
By combining RASP and IASP approaches, security becomes part of every stage of the development cycle. We believe that this approach is a superior strategy, and it is fully supportive of DevSecOps methodologies.
Will the RASP technology replace WAFs?
We expect WAF solutions to remain popular for many years, but clearly the new technology requirements and organizational challenges described above demand a new response from security solutions providers.
As of today, RASPs are an ideal complement to existing WAF investments, and in the long run we believe RASP technology products will potentially replace WAFs altogether.