What is WAF Security? | Fortinet (2024)

A web application firewall (WAF) defends the Layer 7 perimeter from malicious traffic. In other words, a web application firewall is one of the tools responsible for securing business-critical web apps from the OWASP Top 10, zero-day threats, known or unknown application vulnerabilities, as well as an array of other web application layer attacks that impact the community.

As organizations undergo new digital initiatives and expand the attack surface to enable business, they often find that new web applications and application programming interfaces (APIs) become exposed to dangerous traffic due to web server vulnerabilities, a server plugin, or other issues exploited by OWASP Top 10 threats that aim to disrupt the business community. WAFs help to keep these applications and the content they access secure.

Digital innovation (DI) efforts that are driving increased use of web application technologies require a fundamental change in the way that organizations conduct business using digital technology tools, particularly if they want to avoid the various OWASP Top 10 threats.

Successful DI is more than simply deploying technology by companies like Barracuda, Fortinet, and others—it requires a focus on the needs of customers and a willingness to embrace rapid change, including rapid adoption and technology deployment options that help organizations meet the needs of customers. These protections tend to come from a variety of sources, including Imperva, Nginx, Barracuda, and others.

Public cloud and Software-as-a-Service (SaaS) solutions, for example, can help organizations accelerate businesses when properly used and protected by strict security rules, such as those used by Barracuda defense systems or others in the cybersecurity community. Yet, as rapid adoption of these technologies increases the speed of business operations, web application security flaws and OWASP problems sometimes arise, leaving web applications at risk from threats hiding in internet traffic.

As customers increasingly access business applications using unknown bring-your-own-devices (BYOD) on networks that are not controlled with VPN access, organizations must recognize the risks. Even network firewalls can be vulnerable. Traditional perimeter application security tools are not adequate for protecting internet-facing applications from OWASP Top 10 dangers and other application vulnerabilities found in network traffic even though Barracuda can be an otherwise adequate solution for some users.

A new set of rules is needed. Organizations running business-critical applications require tools that address the Layer 7 perimeter. A web application firewall (WAF) is the solution that protects these applications and data.

Modern web applications require a comprehensive web application firewall to protect important applications against multiple types of web attacks and other threats lurking in network traffic, including the Open Web Application Security Project, or OWASP Top 10, which, “represents a broad consensus about the most critical application security risks to web applications.” These are often leveraged to target a critical network appliance. The OWASP Top 10 includes:

However, taking the OWASP Top 10 into consideration is just the beginning. OWASP describes the Top 10 as a list of the most pervasive risks that organizations should tolerate. Modern WAF security must go further to address threats outside the scope of the OWASP Top 10, including:

The days of basic websites serving up simple Hypertext Markup Language (HTML) pages have passed. Traffic has become more sophisticated. Web applications today deliver mission-critical services using APIs that provide richer, more responsive experiences by letting the client process raw data instead of just rendering simple HTML. These API tools also support the mobile applications that users in the community need to access, thus requiring a web application firewall (WAF) made by a company like Fortinet, Barracuda, or others to ensure they are protected from OWASP Top 10 threats, such as file inclusion vulnerabilities and others seeking to take advantage of internet traffic, a server plugin, or other vulnerabilities.

Giving the client access to that amount of application data, there is the potential to increase the impact if an attacker finds a way to exploit the API’s rules if WAFs by providers like Barracuda, AWS, or Cloudflare are not in place.

Making the data that web applications rely on available to the application often comes with compliance obligations. WAFs help organizations meet compliance rules as well. Regardless of your service provider, whether it's AWS, Barracuda, Imperva, or another option, compliance needs to be a primary priority.

Payment Card Industry Data Security Standard (PCI DSS), for example, defines a set of application security standards that organizations handling credit cards must comply with, and PCI 6.6 specifically will often come up when discussing web application firewall technologies designed to keep traffic and assets secure.

The standard requires inspection of traffic to web applications that interact with card data to be inspected and offers two options: either web application code reviews (which can have the impact of slowing down deployments) or deployment of WAFs between the client and the web application. These services are offered by several of the major providers, like Fortinet, Cloudflare, and Barracuda.

In a world where organizations are expected to frequently and rapidly deploy code changes as they adopt DevOps methodologies, a robust web application firewall (WAF) will often be a better solution for meeting these types of compliance rules while protecting the organization from OWASP Top 10 threats.

Organizations must also use providers like Fortinet, Barracuda, or Cloudflare to protect data from modern OWASP threats, all while minimizing any friction to what the end user experiences as they interface with an application and its data traffic.

Frustrating OWASP threat experiences that customers deal with include being blocked based on false positives or navigating excessive CAPTCHA prompts to prove user authentication. The following advanced web application firewall capabilities can ensure optimal experiences for customers:

Machine learning

Traditional web application learning techniques require manual tuning and are prone to false positives. Tuning applications every time there is a change and remediating false positives drives up administrative overhead for teams and others in the organization's community that may already be overburdened.

Machine learning with web application firewalls that examine cookies can change the game by automatically modeling real web application behavior. The behavior of users can be approximated by analyzing their cookies. Further, by updating that model automatically as the web application evolves, application security teams and others in the IT department spend less time manual tuning the web application firewalls according to traffic and creating exceptions based on false positives.

Advanced reporting

Simply blocking a site or application to enhance application security is not enough to thwart OWASP threats—organizations need full visibility into event details that web application firewalls (WAFs) can provide. Attack logs should include the critical information that security operations center (SOC) analysts need, such as the Hypertext Transfer Protocol (HTTP) body information, any applicable cookie preferences, and clear indications on why security rules required an application request to be blocked.