For businesses today, web applications and APIs play a critical role in their success as they influence employee productivity, customer satisfaction, profitability, and operations. To ensure their security, most organizations secure their web apps and APIs with a web application firewall (WAF) but the security outcome they need appears to still be out of reach as 60% of breaches involve web apps.1
While a WAF is the optimal choice for protecting web apps and APIs, the problem encountered by many organizations is WAF mismanagement. Without effective, expert WAF management, a WAF can provide suboptimal protection, letting attacks pass through unchallenged which can result in compromise.
There are five primary WAF management challenges businesses currently face:
Web Apps Constantly Change
The launch of a web app and the security profile created for it is not a “one and done.” Most applications are constantly refined, improved, or even fully overhauled. The challenge is multiplied further when organizations manage numerous applications, a common occurrence as specialized apps are favored. This challenge will continue to grow as 45% of organizations anticipate having at least 200 public facing web apps over the next 24 months.
Your security team needs to be made aware of every change to application code or architecture so they can make the appropriate changes to the WAF security profile. Modified or new policies and rulesets will be required. If you WAF security profile does not keep pace with your apps, your protections will be suboptimal.
New Day, New Threat Possibility
The global threat landscape is continuously evolving as new vulnerabilities are discovered and new exploits deployed. As web applications are exposed to the internet, they are easy targets for zero-day emerging exploits. Threat actors will target web applications as a matter of urgency, looking to capitalize on the gap between discovery of an exploit and when an organization acts to mitigate. To ensure your WAF is providing the security you need to combat the shifting threat landscape, you must constantly evaluate the latest threat intelligence and frequently tune your security profiles to ensure your policies protect against today’s threats, and not just those of yesterday.
Substantial Uptick in API Attacks
Web apps relying on APIs have grown significantly in recent years, with 96% of organizations reporting their apps utilize APIs. And with this use comes another attack vector for threat actors to target with new or adapted techniques. While a WAF can protect APIs, API interactions differ from those of end-user apps, therefore requiring specialized security policies.
Balancing False Positives and False Negatives
For a WAF security team, there’s the constant challenge of minimizing false positives – when a legitimate user is blocked from accessing an app as their activity is misidentified as harmful – and minimizing false negatives – when a request passes through unchallenged, but the activity is actually an attack that should have been blocked.
Reaching and maintaining this healthy balance takes significant experience and skills. On the one hand, implementing very restrictive rules keeps attackers out but your legitimate users also may be denied access as well. Opting for lenient rules ensures that your desired users will have ease-of-access but so too may attackers which could lead to web app compromise. This is the ongoing challenge of availability versus confidentiality and integrity — we need our applications to be available for legitimate users, but secure from attack.
Also in the mix is the pressure some internal security professionals face from their business stakeholders who prioritize minimizing false positives without considering what the impact may be on false negatives. False positives can be very visible and result in numerous support tickets peppered with complaints of being wrongly restricted. While this lack of availability impacts business operations, it should not warrant a degradation in security.
Without the appropriate expertise, those responsible for WAF security may resort to turning off a policy altogether, as they struggle to find a way to fine tune the policy to resolve the false positive and maintain the protection. This short-term fix leads to far greater consequences in the long term.
Lack of Communication and Collaboration
The first four challenges we identified come together into the final WAF management challenge. You simply won’t optimize WAF protections and minimize false positives without frequent fine tuning of security profiles. And while this can be labor and skills intensive, what truly hampers fine tuning is a lack of communication, collaboration, and siloes between all parties involved with your organization’s web apps, APIs, and WAF. Effective security profile tuning requires:
- Security experts who understand your WAF and are on top of the evolving threat landscape
- Developers and application owners who share information to understand the apps and APIs currently being protected or that will require protection
- A 24/7 team ready at a moment’s notice to deal with false positives and emerging threats
A Better Solution for WAF Management
Protecting web apps and APIs is a growing problem for many organizations, with 55% saying that securing their web apps is more difficult than it was two years ago. And while there are many security responsibilities your organization may want to keep with the internal team, having the necessary combination of expert-level people and processes plus the budget to reach your desired outcome for web app protection simply may be out of reach in-house.
Instead, what if you had an external partner with proven success and experience in managing WAFs with curated, world-class intelligence, bot management, DDoS protection, prompt resolution of false positives and always optimized protections? The combination of tool capability and expert management, keeps your web apps and APIs online and your users, data, and network protected from compromise.
Solution Brief: Fortra Managed Web Application Firewall (PDF)