If Applications Are So Vulnerable, Why Doesn't Everybody Have a WAF?

Blog Post created by B-3-XH9UGV Employee on Jul 14, 2017

This Part II of a three part series “Web Attacks Today and How to Stop Them”

Click here to read Part I


I began my career roughly 20 years ago at a telecom/software startup.  We made “Unified Messaging” software, providing companies with the ability to see and listen to their voice mail in their Outlook inbox.  The software was popular, and it wasn’t long before we were bought up by Nokia and I began a long career in larger technology companies. 




from: http://workingforwonka.com/wp-content/uploads/2011/06/wear_multiple_hats_at_work.jpg accessed June 29, 2017


As I think about Application Security today, I force myself to remember just how many hats all of us wore while we were in start-up mode, and what our “IT” department looked like \back then.  Our “Senior” or executive management team consisted of 4 people:  The two founders (Biz Dev and Company President), a Director of Finance, and a Director of Engineering.  HR?  reported to the Finance Director.  IT department?  Forget it -- we had no IT department.  If something in our back end systems needed building or fixing, our head engineer usually got roped into doing the work for the QA department, marketing department, or the engineers themselves.  And because there was no IT department, there certainly was no Security department, and no person in charge of security. 


In this context it isn’t surprising that we did not have a web application firewall or WAF.  And I would bet that if we were founding that same start up today, we still wouldn’t have a web app firewall.  I come to this conclusion despite the fact that Gartner recommends that Enterprises use Web Application Firewalls, and despite the fact that PCI-DSS call for the use of WAFs


Why is this?  Because Web App Firewalls are traditionally hard to set up, require nearly constant care and feeding, and they are difficult to maintain.  And then there is “FOFP” or fear of false positives.  Even if a WAF they are maintained with relative consistency, even a well-tuned WAF introduces the risk of accidentally blocking a legitimate request – in other words the risk of “false positives”.


People in startups today, by necessity, continue to wear many hats and juggle many tasks. Sadly, the combination of difficult maintenance, a perennial shortage of Application security professionals, and risk of false positives has brought us to the point where even companies that have security professionals, 30% don’t have a web app firewall (Ponemon Research, 2015)– and that, of course, the list of  companies that don’t have a Web App Firewall is not limited just to start ups.  There are many “mid-size” companies – perhaps yours is among them --- that don’t even have security staff to purchase a WAF, let alone manage it.  


But fear not -- In my next post I’ll introduce a web application firewall designed for just these companies – companies that don’t have the time or resources to configure and manage a WAF, or companies that suffer from FOFP (Fear of False Positives).


Click here to read Part III of the "Web Attacks Today and How to Stop Them" series.