Web Application Firewall (WAF) Best Practices
Different tools naturally fall into a specific team's domain. Take WAFs.
Web application firewalls are often proposed by the application security team but are critical and benefit every group in the DevOps process. In fact, WAFs are the leading technology adopted by DevOps teams, with the application security tool used by more than half of intermediate and beginner DevOps practices, as well as 59% of mature teams, according to a survey of more than 5,000 application creators.
The widespread usage of WAFs is no surprise. Web application firewalls deliver significant benefits to DevOps, protecting applications, giving developers and operations better visibility into runtime threats, and allowing security teams to deploy virtual patches to prevent exploitation before a vulnerability can be fixed.
So how should DevOps groups most effectively use WAFs? Here are some best practices.
1. Put WAF in Front of Every API
WAFs help companies gain visibility into their applications' runtime status and what sort of requests and attacks impact their software. For that reason, modern WAFs should be placed in front of all applications exposed to the internet and between containers in a microservice or API-forward architecture.
Companies that only have sparse coverage of their application portfolio are losing a great deal of visibility into the threats targeting their applications. WAF analytics, logs, and data from other sources can be combined to give a company granular intelligence on current attacks and application execution errors.
Increasing observability has become a significant trend in modern DevOps teams. The most mature teams — so-called "elite performers" — are four times as likely to automate and integrate monitoring logs and attacks into their process, compared to low performers, or less mature teams.
2. Make Security Part of the Code
Using a security-as-code approach allows developers to communicate runtime security assumptions to the application infrastructure at deployment. Limiting the types of requests that an application has to process can be more efficient as it allows pre-processing of inputs at the edge of the application infrastructure, rather than inside the application.
In addition, modern WAFs give teams more options to deal with threats. Complex vulnerabilities that cannot easily be addressed with simple changes can instead be blocked from exploitation by creating a virtual patch that can be deployed to the WAF.
3. Continuously Test WAF Changes
WAFs set to “log and block” mode run the risk of causing application failures if changes and updates to the WAF are not tested properly. Unfortunately, automated performance and security testing is the automation process least likely to be adopted by DevOps teams. Only 18% of low-performing DevOps teams use automated performance testing, and a scant 15% use automated security tests. Even elite performers are unlikely to automate performance and security tests, with only 28% and 31%, respectively, of teams adopting those two forms of automated testing, according to Google's DevOps Research and Assessment group.
Groups that do test typically integrate the WAF into the testing process, as a component of the application. Just like changes to the application, it's useful to be able to see any potential impacts from security tools before the change is made in production.
4. Get Buy-In on WAF decisions
While evidence suggests that operations teams have pushed for DevOps in the past, increasingly developers are driving the transition to the agile methodology. Yet, no matter who is the impetus behind the adoption of DevOps, both operations and development groups need to be mindful of the risks that their business is willing to take. For applications that have no stored user data and are not processing transactions, the WAF may be able to run in a very strict mode, blocking suspicious requests.
However, for a company whose web application is their business — such as an online retailer — tuning the WAF may require additional effort, as blocking potential legitimate customers will result in business loss.
For that reason, it is important to work closely with business executives on the broad strategy to be employed with the WAF and the specific criteria to guide decisions.
Modern WAFs bring significant utility to DevOps groups when used correctly, including better intelligence, faster security implementation and response, and the shifting left of some responsibility for security configuration. The benefits to the software development life cycle of a mature DevOps process are enormous: a mature group can deploy code 200 times more frequently than low performers, and recover from incidents in an hour, as opposed to weeks for low performers, according to Google's DORA report.
WAFs need to be deployed properly to be most effective, and these best practices can help.