<iframe src="//www.googletagmanager.com/ns.html?id=GTM-KXSCJR" height="0" width="0" style="display:none;visibility:hidden">

The WAF is dead (or at least dormant)

Julien Bellanger on May 5, 2014

oD0ceO7TUqdlh6YLVA6B_reef_insp-72photo by Taylor Leopold

Over the last year, my co-founder and I have pitched hundreds of CISOs, CSOs and security specialists and CIOs on Prevoty’s new runtime approach to application security. In just about every conversation, we ended up discussing Web Application Firewalls (WAFs) and arriving at some surprising conclusions.

The summary of these conversations went something like this:

Early 2013: “Why would I need Prevoty?  I already have a WAF!” 
Mid 2013: “I know I need my WAF, but it’s somewhat of a speed bump – it is so hard to configure for multiple applications.”
Late 2013: “My WAF is driving me crazy with false positives.” 
Early 2014: “We're running our WAF in passive mode.  We still use it because we need it for compliance, but we use it mainly for Denial of Service attacks.”

We’ve come to this conclusion: WAFs in production are not actually doing application security at all.  They are being used for functions that a modern load balancer could comfortably handle.

Why is this? In order to be done correctly, application security needs to have context from within the application itself – something that the WAFs algorithmic-based guesswork at the network layer simply doesn’t have.

WAFs filled a gap when there was no other option for application security – they were built as an extension of the traditional network firewall, positioned outside of the application.  Respecting the same logic as a network firewall, WAFs are proxies looking at all the traffic without application context and relying on past definitions.  WAFs are the Advil of application security, creating a dangerous sense of false security. 

Because top application threats such as XSS, SQL injection and CSRF are executing inside the application itself, how can WAFs understand how the analyzed traffic is actually going to execute?  You already know the answer (!) - this is the main reason why enterprises are not using WAFs for actual application security any more. 

Add in configuration complexity, the false positives and negatives and the added latency and you have a real cocktail of reasons to stay away from WAFs.


In With The New: RASP Technology

As applications become increasingly complex, dynamic and distributed there is now more focus than ever on making them secure and safe for the users.  It is clear that we are at the start of the security industry going through a major shift: away from attempting to do application security at the network layer and towards application security done from within the application. The industry is calling this Runtime Application Self-Protection (RASP), and we're pioneering this new approach

So it’s time for the rise of the new SSDLC (Secure Software Development Lifecycle) that includes developer training, static code analysis and dynamic code analysis combined with real-time, in-application active threat prevention. 

The WAF is dead. R.I.P.

Back to blog

Julien Bellanger

Julien Bellanger is the co-founder and CEO of Prevoty, a next-generation web application security platform. Most recently, Julien founded Personagraph, an Intertrust company focused on mobile user privacy. Before joining Intertrust as Director of Corporate Development, he built and led Thomson/Technicolor’s digital advertising business unit in Latin America. Julien started his career as a Corporate Auditor at Thomson/Technicolor after launching his first startup in college, the first French social network exclusively for students. Julien received a B.S. from I.S.G and an MBA from the Tuck School of Business, Dartmouth College.

Find me on:

Topics: WAFs