Web application firewalls (WAFs) are one of many web application security solutions at your disposal. Unfortunately, buyers often don’t understand their purpose and treat them as a direct replacement for other classes of tools, for example, web vulnerability scanners such as Acunetix. The two classes are as different as they get and the only way to get the most out of them is to use them both at the same time, not replace one with the other.

Should You Use a WAF without a DAST Tool?

Many businesses purchase a WAF solution and use it as the only means of protecting their web applications and APIs from attacks. While such a solution is effective to some degree, it gives a false sense of security. After all, the application behind the web application firewall is just as insecure as it was before the WAF was installed. All it takes for a malicious hacker is to bypass the real-time WAF protection and they can wreak havoc just as if there was no protection at all.

Web application security is achieved by eliminating issues at their source, not by hiding them from the outside world. A false sense that the WAF is enough is the result of buyers not understanding web application security and believing marketing pitches that claim the WAF will solve all their problems. WAFs are designed for threat mitigation, not elimination. They do not reduce the threat landscape at all.

Web applications can be attacked because developers make mistakes. Such errors let malicious hackers access sensitive data or even completely take over the web server and escalate the attack to other systems. The only way to ensure that your web app is safe and to prevent various types of attacks is to eliminate issues listed by the Open Web Application Security Project (in the OWASP Top 10 list), for example, SQL injections, cross-site scripting (XSS), remote code execution (code injection), local file inclusion (LFI), and more.

To eliminate the root causes of security issues and truly prevent common attacks (not just make them more difficult), you need a tool that will find, expose, and prove such issues. Acunetix actively scans your web application, points out security issues, and proves that they are real. This lets your developers correct their mistakes.

On the other hand, a WAF will not inform you of any problems that you have, will not improve your security stance, and may make your developers more careless about security, thus making your web applications more and more vulnerable to attacks. Therefore, if you use a WAF without addressing the root causes of the problems with a DAST tool such as Acunetix, you are actually worsening, not improving your web application security.

Should You Use a DAST Tool without a WAF?

Despite the fact that Acunetix does not provide a WAF solution, we heartily recommend using Acunetix together with a WAF.

Acunetix can find, pinpoint, and prove web application vulnerabilities but can’t eliminate them. Vulnerabilities are not like viruses – they are not foreign elements, they are mistakes made by developers when writing your own software. Therefore, only developers can eliminate vulnerabilities.

Developers are usually very busy with writing new functionality, improving current web apps, and fixing bugs, so if they are tasked with rewriting your application code to make it secure, they can’t do it immediately. Managers queue such tasks for developers and it can sometimes take even weeks or months before the developers have time to resolve a particular vulnerability. Until then, your application is wide open to malicious hackers!

That’s why the best way to use a WAF is to treat it as a temporary security measure that reduces the chance of an attack until your developers have time to fix vulnerabilities. A professional tool such as Acunetix can work directly with WAF solutions, providing them with a relevant set of rules for every vulnerability. This also lets you avoid the need for a negative security model, which can have severe consequences on accessibility.

WAFs also introduce certain types of protections that are not achievable with other tools. For example, unless you use specialized hosting with built-in DoS protection such as AWS, a WAF can help you avoid many DoS/DDoS attacks. In addition to reducing malicious traffic, WAFs and their reverse proxies can also help with web traffic load balancing to reduce latency, although this is not their primary purpose.

You Need Many Tools for Web Application Security

Security experts know that WAFs and DAST tools are just the tip of the iceberg. The more you want to improve your web application security, the more tools you can use for that purpose.

For example, DAST can work together with SAST tools (which check the source code but are known to report more false positives) or can be complemented with IAST solutions (like AcuSensor from Acunetix). SCA tools can quickly check your open-source components for known vulnerabilities. You can even use anti-malware solutions together with other tools (this is possible with Acunetix) to eliminate server-side malware.

DAST, SAST, IAST, and SCA can work in your DevOps automation environments to optimize your security efforts even further. These tools are available as security services, cloud platforms (SaaS), or on-premises solutions.

There are even more tools for your security teams that help them secure your application layer. Before your developers start work, a vulnerability often needs to be analyzed manually by penetration testers. This is especially true if you don’t have a tool such as Acunetix that provides proof that the vulnerability is not a false positive. Security researchers use many manual attack tools, proxies, manual scanners, authentication crackers, etc.

All in all, web application security is a complex topic and no single solution (even the best WAF) can take care of everything. Instead, let us help you learn how to start building your arsenal of tools from the ground up by showing you how to integrate Acunetix with WAF solutions.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.