Cloud WAF: Why a Checkbox Isn’t Enough


I remember when I first learned about Web application firewall technology. It seemed like magic to me: A device that could compensate for bad coding or unexpected/unintended web application functionality. It could do this by learning expected application behavior and then enforcing said behavior, even if the application itself was capable of allowing the unwanted behavior. The business case for such a technology is easily recognizable even more so today than it was in the mid- to early 2000’s when it first came out: the ability to have a device compensate for human error.

The potential cost savings of this type of technology either in physical costs or brand protection is easily explainable. Consider for one second the cost a particular adult dating site has incurred; not due to actual funds being stolen but due to PR expenditures and legal fees associated with the hack. At the end of the day, we are all just human and yes we can fix errors when we find them, but sometimes things aren’t even exploitable until they are. It is easy to see the value of a technology that can protect against this unknown risk.

To illustrate this unintended functionality risk let’s describe a simple SQL injection in the context of a story:

The year is 2003 and I have decided I want to break into your bank account. I don’t know anything about you other than your name, your wealth, that you portray yourself as tech savvy and you bank at Wealthy Man Bank. So I open an account at Wealthy Man Bank too. I get online account access (if you’re tech savvy you’ll be doing online banking) so I can see the syntax for the user name (now I know what your user name is). For argument’s sake, let’s say it was first initial, last name. Knowing a user name doesn’t get me in though, so nothing to worry about, right? Well, not quite true. I happen to be a budding SQL developer and I know that in the coding world 1=1 or a=a or 2=2 etc. means true. So in other words, I substitute this basic SQL statement for the for the password in the password field and voila! I’m in, and all your money is gone (note this type of SQL attack would likely not work today because developers are generally smarter than that now).

In the above example the hacker tricked the application into doing something it wasn’t programmed to do. This type of breach was recognized early on by the likes of the PCI-DSS council who decided to make secure code review and/or a WAF a requirement of credit card compliance in order to prevent it. Most organizations eventually chose to go the route of a WAF because although secure code review should be part of a best practice, it is usually a point-in-time static check… and almost all code today is dynamic and ever changing. It doesn’t help that we are human and we make mistakes. A true WAF, configured and managed correctly, solves that problem by enforcing only known good behavior. It has to have a positive and a negative enforcement architecture to truly achieve this.

Today we are spoiled for choices when it comes to WAF. We have multiple options for on-prem or in the cloud WAF, and we also have several other devices like next-gen firewalls and some Proxy technologies that say they protect against the OWASP top 10 risks. What makes some stand apart from others and why do you still need a real WAF?

First, let’s discuss what makes a WAF a WAF and where technology comes from. In the early days when companies like Terros first espoused this type of technology, our friends at Gartner labeled it as an IDS. The key thing that eventually differentiated it from and IDS/IPS with targeted OWASP signatures and still does is the ability to do positive application enforcement (enforce known good behaviors and block everything else). The WAF can and does have signatures, but the magic is in learning and enforcing the expected behavior. This official differentiation happened around the year 2006. The PCI-DSS council made their compliance requirement almost at the same time.

[You might also like: WAF and DDoS – Perfect Bedfellows: Every Business Owner Must Read.]

The problem with a WAF then as it is now and has always been is that it is a very interactive product. Most other security devices are to some extent set and forget, but a WAF is always high touch. Every time the application changes I have to touch the WAF to avoid false positive “blocks.” To illustrate what I mean, if I add a new feature to an application, the WAF will block it if it hasn’t seen it before and it should. A new feature would be unexpected behavior, a divergence from the baseline, so to speak. The only way to solve this is constant care and feeding. The problem is further exacerbated by the fact that the work or security team that runs the WAF don’t actually write the application code. They have to see the error or false positive, then get hold of the development team, etc. Due to this complexity of management, we found the adoption of WAF outside of the PCI compliance realm rather stunted and the success rate of people using the WAF for more than a checkmark mixed.

Over the past few years several changes have taken place in the WAF space. The biggest change has been the move to WAF as a service, both as a full SAAS offering and as a fully managed service. This change has been a boon for adoption as the complex setup and management has been greatly reduced. However, all is not as it seems. Remember the functionality that differentiated a WAF from an IPS or for that matter a next generation firewall, the ability to learn the application and enforce known good behavior? Well that doesn’t exist in most Cloud WAFs. I would contend that in fact there are only two WAF-as-a-service companies that actually offer a true cloud “WAF.” Remember folks, just because you call something by a particular name doesn’t make it so. What you get from the cloud hosting providers is often not a WAF, and what you get from anyone not offering positive enforcement capabilities is not a WAF.

Compounding this obvious problem is the fact that most large enterprises are stuck in a hybrid architectural scenario, with some of the assets protected behind hard-to-manage on-prem devices and some in the cloud behind a service. Most players in this space offer either an appliance or a service, not both. Worse, when they do offer both it’s not the same technology. Most on-prem solution are to a greater or lesser extent a WAF. Most cloud WAFs are in fact IPSs with a signature set tuned to protect against the OWASP top 10 threats. The limitation of signatures is not the only problem. It’s the fact that you will have to manage two different systems, pull reports form two different systems, etc. and not have a single point of contact from a support and management perspective.

The next-gen solutions that have come out over the past year have answered this challenge by offering a true WAF in the cloud that uses the same universal management and reporting console. On top of this, at least one Israeli-based organization offers a full managed services solution stack that covers both their physical appliances and their cloud SAAS offering. This allows organizations either transitioning to the cloud or who have a hybrid architecture to have a seamless experience. It also empowers organizations to now harness the full capabilities of a WAF, which were previously unattainable because of the high-touch, high-skill requirements.

In today’s world where web attacks are becoming ever more common and the cost of these attacks when successful ever higher, it is not worth selecting a solution for its substance rather than its name. Especially when the solution is roughly the same price and globally available, and unmistakably alone in answering the customer’s true needs.


Read “Keep It Simple; Make It Scalable: 6 Characteristics of the Futureproof Load Balancer” to learn more.

Download Now


  1. “(To date) we have saved about 300,000 k – Wh,” said, Dr.
    Don’t’ forget to click on the Slide Show and Video to your left.
    Many new & old tradesmen, with creative
    one-of-a-kind gifts & treasures, spent 3 days at the Prime Osborn Center supplying individuals with gift-to
    give away and some gifts to keep for themselves.

  2. He had the same chance as everyone else on the
    flight. He chose to fight in the most childish way possible when he could have just driven home with
    his wife. He delayed the flight the amount of
    time it would have taken to drive.. Natsumi suspects that Keroro will use
    his invisibility device to go out and cause trouble, so she convinces her
    family to install hidden cameras throughout
    the house to spy on him. Later, Natsumi accuses Keroro of spying on the family when she discovers a pair
    of binoculars outside, but the Hinatas survey the security footage to find
    that Keroro has done nothing out of the ordinary.
    The true culprit is later revealed to be
    Giroro, another member of Keroro’s platoon..

    Bathing Suits The midfoot is also wide, though, which leads to me tightening the
    laces a lot and that creates a tight spot on the top of my foot.
    Otherwise, it’s a nice shoe that has a flexible
    sole. Very comfortable for walking around. Finally moved down to Kyle.
    LOVE LOVE LOVE it out here. We get more square footage for our money.Bathing Suits

    swimwear sale But then she also openly shares and shows the fact she works out for hours every day.
    I seen one clip where she said she was off for workout
    number 3 of the day. Then I saw one where she did a 2 hour
    work out session.. And the rules seem to change
    country by country as well. Esther, 7, told me
    just the other day that she noticed people are more comfortable being naked here in France than they are in America.
    She noticed this after just a few visits to a public pool,
    and lots of visits to her friend backyard pool.swimwear sale

    dresses sale 2) Click on the title of the template (it will then appear on its own for a closer inspection), then click “Download” after which you simply agree to their user license agreement to receive the file.
    (You might have to install an Active X plug in for Internet Explorer
    if you don’t already have it.)3) Open your now downloaded template in Word and follow the simple instructions
    to enter your specifics in the right category. It’s just a
    matter of typing over their text with your own personal information and history..dresses sale

    Sexy Bikini Swimsuit My advice Buy one or two inexpensive pairs
    of shoes that arecomfortable and fit your feet the way they
    are now. I pretty much lived in my flip flops (my OB/GYN joked she could always
    spot a pregnant woman in Colorado because we
    were the ones wearing flip flops during a blizzard). After you given yourself some
    time, you can start trying on shoes and seeing what feels good and if you must
    buy larger sizes.Sexy Bikini Swimsuit

    Tankini Swimwear She has also been trained in basic self
    defense. She has a large appetite and constantly struggles
    with getting enough money to eat, despite coming from a wealthy household.
    She has an older sister who ran away from home due to their parents being
    very strict as well has having a strong dislike towards phantoms.Tankini

    beach dresses Chi l’ha detto che i costumi da bagno interi
    siano noiosi Accendi il divertimento estivo con un fresco e
    provocante trikini. Un trikini veste come un costume intero combinandolo alla copertura di un bikini.
    Immagina un bikini con simpatici lacci e ampi ritagli sul lato.beach dresses

    cheap swimwear If you look at I think lots of those would
    work well. I really appreciate it. I got fitted
    at Victoria Secret and that the size they gave me twice.
    This was my first God of War game. I tried watching a recap of
    the previous games and only came out with a general sense of
    his past, which made a big difference in the
    story for me. I also a huge Norse mythology nerd, and so this game hit all the right notes for swimwear

    Sexy Bikini Swimsuit I have never worn a properly
    fitted bra before. I wore 36As that big cups and bands.

    I wore 36Bs that were too narrow and dug into my sides.
    She isn saying that the food isn similar to the
    subcontinent, it just that the regional style makes a
    difference in how you cook it as well. I moved across the country and the
    way Indian food is made has a different style and take between the
    east and west coast. All of it is easily identifiable as certain desi dishes, and they largely taste the same, but it is a little different..Sexy Bikini

    Cheap Swimsuits Hi! Certain shape factors can lead the
    calculator to overestimate. Your estimated band size of 40 looks to be a good place to start as bras in the 40+ band
    range tend to have extra stretch in them. Being pendulous myself with a lot
    of soft breast tissue, you may get a good fit with a 40H (UK) /
    40K (US).Cheap Swimsuits

    Tankini Swimwear Managed VPN solution service providers can also help organizations save money
    by routing the data of several organization over the
    same data lines, or help enterprises to leverage the expertise of the provider’s staff to alleviate additional
    overhead expenses. The widespread availability of WWAN,
    DSL and other broadband options gives enterprises multiple ways to securely interconnect network users over a VPN.
    Another benefit of VPN is that it gives an organization the advantage to use virtually Bathing Suits any data service option, as cost and availability dictate Tankini Swimwear.


  3. Good day very cool website!! Guy .. Excellent .. Superb ..
    I will bookmark your web site and take the
    feeds additionally? I’m glad to search out a lot of
    helpful info right here within the submit, we need work out more strategies on this
    regard, thank you for sharing. . . . . .


Please enter your comment!
Please enter your name here