The Open Web Application Security Project (OWASP) periodically updates the TOP 10 Web Application Security Risks. The Top10 serves as a set of best practices for those who develop web-based applications, but as always, provides insight into the possible entry points into vulnerable web-based applications.
One of the key protection methods is to implement a Web Application Firewall (WAF). For this week’s discussion, does implementing a WAF address the OWASP Top 10, or would implementing the OWASP Top 10 negate the need to add a WAF to a web-based application’s infrastructure? What your thoughts, and why?
Antonio Cozza says
The best answer would be to implement both, but that depends entirely on the allotted budget, and WAFs can get expensive. Implementing both would present more redundancy and apply a defense-in-depth sort of approach, but again this depends on the budget. A web application firewall should probably not simply be the only form of mitigation against the OWASP top 10, as a WAF is still a firewall ultimately- meaning it still has the same potential issues that other types of firewalls have. Any firewall is only as effective as its configuration, and many are really not that well-configured with rules that allow and deny traffic properly.
he issues that are potentially relevant to only having a WAF are endless. A WAF can run vulnerable software, packets that run through the WAF can be specially crafted packets that are spoofed, a WAF can enter a fail open or fail closed state causing traffic chaos either way, just because a WAF is in place does not mean that it is regularly tested for logically incorrect rules, and lastly improperly configured rules will lead to false positives and false negatives.
A WAF could serve as a decent solution if an organization wants to only allocate funds to implement one solution, if and only if the WAF is well configured and adequately tested. Implementing the OWASP top 10 mitigations would also be a good choice, but a WAF can also further support this effort. The mitigations recommended by the OWASP top 10 vulnerabilities do much more than a WAF can do alone, however, as they also address foundational security issues like including security by design and legacy components. The scope of the top 10 mitigations seems to outreach the capacity of a WAF.
Eugene Angelo Tartaglione says
If the budget and time table allow for it, the best thing the organization can do is implement a WAF, as well as mitigate or fix any vulnerabilities that are found on OWASP’s top 10. From personal experience managing many web applications, I try to mitigate as many threats that we get back from our security assessments, but came to realize that some issues cannot be fully resolved, or the only viable option is a form of mitigation of the issue. So with this in mind, I recommend having a WAF (if applicable) as well as mitigating as many issues as possible from OWASP’s top 10.
Dhaval Patel says
Hi Eugene,
I agree if the organization has the financial means, then they should implement both WAF and mitigation strategies. Mitigation strategies can reduce the number of threats, but they can’t prevent everything, and as you said from experience some issues cannot be fully resolved and so having a WAF in place could help.
Dhaval Patel says
Ideally, you would want to implement both the WAF and the OWASP’s mitigation strategies, but as others have said budgetary concerns may arise especially with WAF. WAF however can help mitigate the OWASP top 10 along with other vulnerabilities. You can configure WAF in such a way that you can create custom rules that allow you to block common OWASP patterns.
Patrick Jurgelewicz says
I agree with earlier comments that the best practice would be to implement both a WAF and the OWASP strategies, budget permitting. From here, it becomes more of a business and risk-tolerance decision. I would also say that implementing a WAF does not address the full requirements of the OWASP Top 10, but a lot of the mitigation strategies of the OWASP can be solved using WAF rules. Therefore I would say that ultimately businesses should implement a WAF, and follow the OWASP strategies to address any potential lapses in coverage.
Tal Eidenzon says
Though in theory fully implementing the OWASP strategies “should” cover the known vulnerabilities, it is highly recommended to implement the WAF for several reasons. First of all, defense in depth provides a layered defense which would significantly reduce the “noise” of attempted break-ins. This will allow more time for the security analysts to focus on the attacks that made it through the WAF, as they may pose a higher risk due to successfully penetrating the firewall. Another reason in support of implementing both stresses that the OWASP strategies focuses on KNOWN vulnerabilities, although the WAF also might have potential unknown vulnerabilities, at least it acts as another hurdle for the malicious actors to jump over.
Andrew Nguyen says
I think the best approach would be to implement both: Address the OWASP top 10 along with a WAF.
The more security the better, but also a WAF can be configured to include rules to help protect against things like SQL injection and other popular attacks that are not addressed by the OWASP top 10.
Krish Damany says
For the best web application security, implementing both a WAF and OWASP strategies would bring the most protection. While on their own, each does help a bit. But having WAF would fill in the gaps of OWASP and vice versa. Along with both WAF and OWASP, automation tools are only as good as the people running them. WAF, OWASP, and people together is the best mode of defense for web application security.
Tal Eidenzon says
Hi Krish,
Defense in-depth is around for a reason. Any one structure can have a vulnerability uncovered, but with several lines of defense, companies can have more peace of mind, that the vulnerability will be patched before the next wall can be breached.
Thanks,
Tal