photo by Taylor Leopold
Over the last year, my co-founder and I have pitched hundreds of CISOs, CSOs and security specialists and CIOs on Prevoty’s new runtime approach to application security. In just about every conversation, we ended up discussing Web Application Firewalls (WAFs) and arriving at some surprising conclusions.
The summary of these conversations went something like this:
We’ve come to this conclusion: WAFs in production are not actually doing application security at all. They are being used for functions that a modern load balancer could comfortably handle.
Why is this? In order to be done correctly, application security needs to have context from within the application itself – something that the WAFs algorithmic-based guesswork at the network layer simply doesn’t have.
WAFs filled a gap when there was no other option for application security – they were built as an extension of the traditional network firewall, positioned outside of the application. Respecting the same logic as a network firewall, WAFs are proxies looking at all the traffic without application context and relying on past definitions. WAFs are the Advil of application security, creating a dangerous sense of false security.
Because top application threats such as XSS, SQL injection and CSRF are executing inside the application itself, how can WAFs understand how the analyzed traffic is actually going to execute? You already know the answer (!) - this is the main reason why enterprises are not using WAFs for actual application security any more.
Add in configuration complexity, the false positives and negatives and the added latency and you have a real cocktail of reasons to stay away from WAFs.
In With The New: RASP Technology
As applications become increasingly complex, dynamic and distributed there is now more focus than ever on making them secure and safe for the users. It is clear that we are at the start of the security industry going through a major shift: away from attempting to do application security at the network layer and towards application security done from within the application. The industry is calling this Runtime Application Self-Protection (RASP), and we're pioneering this new approach.
So it’s time for the rise of the new SSDLC (Secure Software Development Lifecycle) that includes developer training, static code analysis and dynamic code analysis combined with real-time, in-application active threat prevention.
The WAF is dead. R.I.P.