Web Application Firewalls do not replace secure development and operation of web applications

In eval($WAF); whitepaper, L. Nothdurfter, W.Neudorfer and M. Kirchner from the University of Applied Sciences Upper Austria, explain in detail how they evaluated the capabilities of some leading WAFs (web application firewall), and concluded that although a WAF can raise the security level, secure development and operation of web applications should be of top priority.

As a matter of fact, while evaluating some leading web application firewalls, they also released 3 web application firewall advisories:

• Artofdefence Hyperguard Web Application Firewall (Remote Denial of Service)
• phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution
• radware AppWall Web Application Firewall (Source code disclosure on management interface)

Some facts about WAF’s, which anyone considering of buying a WAF instead of securing his web application should read(quotes from the white paper’s conclusion):

1. the additional layer of defense (WAF) is partly porous and does not replace the secure development and operation of web applications.
2. It also must not be overseen that a web application firewall is an additional device that is placed between the client and the web server and is therefore an additional device that can have influence on the availability of the overall system.
3. It is also an additional system that can have vulnerabilities or other forms of implementation flaws and requires regular maintenance.
4. Additionally it has been shown that web application firewalls can also be the target of successful attacks (cross-site scripting flaws, cross-site request forgery, denial of service, command execution, etc.)
5. When defining rules for a specific web application or modifying the standard Ruleset it is very important to test the whole web application and all provided functions for their correct functionality.  This can for example be done using automated testing frameworks. In the course of the project often certain functionalities of the web applications used for testing have been rendered unfunctional because of predefined rules of the web application firewalls. As unexpected side effects like this can occur with every change of the rules or the web application itself, comprehensive testing is necessary.

Acunetix integrates with popular WAFs to automatically create the appropriate Web Application Firewall rules to protect web applications against attacks targeting vulnerabilities that the scanner finds.