Why WAFs alone can't fight today's application security threats

Why WAFs alone can't fight today's application security threats

Over half of today’s web traffic comes from bots — many of which are running with malicious intent. And if that wasn’t scary enough, online businesses today find themselves facing an ever more sophisticated threatscape that includes players like Magecart. The potential gain of a successful attack is huge, and in today’s modern world, security breaches are unfortunately become commonplace. According to a new report, there were 945 data breaches in the first half of 2018, leading to the exposure of 4.5 billion data records — that’s 291 records compromised every second.

In the last year alone, we’ve seen breaches like the following:

  • Facebook announced that hackers had exploited vulnerabilities in their code that gave them access to the highly sensitive personal data of 30 million users, including locations, relationship information, recent searches, and birthdates.
  • British Airways had 380,000 transaction details compromised as a result of unsecured forms on their payment processing pages.  
  • Marriott International announced that 500 million records in its Starwood division reservation database had been accessed by hackers over the last four years, starting from 2014.
  • India’s national ID database, Aadhar, announced that it had discovered a breach that could potentially expose the biometric information of 1.1 billion Indian citizens — all because a system used to access this information didn’t have a secure API.

It’s hard not to feel exposed, both as a consumer and as a company. Attackers are more creative, more determined as the value of data increases, and cybersecurity has become a necessity if you want to remain a viable company into the foreseeable future.

It’s more important than ever to understand whether you are doing everything possible to protect your websites and web apps — and whether more traditional forms of web application security, such as a web application firewall (WAF), are still able to weather the storm alone.

The top web security attack trends and how to secure your web apps against themRelated White paper

Your WAF isn’t dying — it’s struggling to hold the perimeter

The arguments for why WAFs are on the decline might seem valid — WAFs do have a gap against more sophisticated attacks as attackers change the vectors they are using, leveraging browser-based attacks like bot automation or third-party code. In addition, they can be complex to configure and maintain to ensure they don’t impact visitor experience.

But the truth is that WAFs still play a very important role in web security today. The security provided by WAFs is still very much needed to secure your backend against application level attacks. In addition to protecting against many of the attack vectors today, such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), WAFs also provide a much needed layer of protection that helps mitigate vulnerabilities that are a result of human error that come from your own development teams or a vendor. A common example is not properly sanitizing the input to your database and checking for rogue SQL statements. A WAF will detect these types of attacks, ensuring that malicious attackers can't take advantage of weak backend code to exfiltrate, alter, or destroy sensitive data.

That being said, the security perimeter today has changed dramatically with the rise of third-party services and sophisticated automated attacks. Businesses today are facing an expanding list of attack types that makes securing web applications a tough job and WAFs alone are no longer enough on their own to keep cyber criminals at bay.  

Strong web application security requires protection from application to the browser

Modern web applications are no longer a simple website of static content — they are cloud and mobile apps, APIs, third-party services, and new architectures. This presents a complex map of potential vulnerabilities and loopholes that cybersecurity professionals must navigate. The risk of exposure is much higher since the attack surface is larger and the technology available to attackers helps them locate weaknesses and overcome traditional security measures.

The reality is that in order to fully protect your business against the security threats out there — you need a solution that provides a WAF supplemented with deep client-side capabilities that extend to the browser to provide protection against all the potential security challenges out there, including denial-of-service and distributed denial-of-service attacks (DoS/DDoS), bot management, and API vulnerabilities.

Implementing comprehensive web application security from within a single platform that can fight off potential attacks from different vectors will be essential for companies moving forward.

The Instart Web App and API Protection (WAAP) platform is designed to secure all the entry points into your web application servers, offering end-to-end protection from the browser where your customers and attackers interact with your site, to the edge, all the way to your application infrastructure. Being able to secure the entire traffic path without having to integrate several solutions could be the difference between successfully protecting your business and customers — or failing.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo