As our economy turns to automation for business efficiencies, we are seeing the growth of web applications and APIs (Application Programming Interfaces) as the main methods to connect with customers and clients. Organizations must prioritize web application security, as cyber criminals have also identified web apps as an entryway into company networks. Public-facing apps are the most widely used attack vector to penetrate an organization’s perimeter.

 A recent study showed a significant increase in attacks for the first half of 2022 compared to the prior year:

  • 12.56% increase in web application attacks
  • Bot attacks rose 2.27 times
  • Over 168% increase of API attacks

To reasonably secure web applications and APIs from threats, there are many approaches to incorporate into a web security strategy. You can consider conducting a web application penetration test, consult the OWASP Top 10, or implement an overall risk assessment. This article gives a brief overview of  the Web Application Firewall (WAF).


WHAT IS A WAF?

A web application firewall, or WAF, is a security tool that protects an organization’s web applications. A WAF filters, monitors, and blocks data packets or HTTP traffic to and from a web application or website. It inspects this data to identify and prevent any potential threats or attacks such as SQL injection, cross-site request forgery (CSRF), file inclusion, cross-site scripting (XSS) and more.


WHY DO YOU NEED A WAF?

SENSITIVE DATA. Most organizations automate their processes for convenience and efficiency. Online transactions for products and services are the norm. With the digitizing of everyday activities, we also expose ourselves to more risk. Credit card numbers, bank information, medical details, and other sensitive data can be accessed through web applications. A WAF can protect this information from unauthorized access.

COMPLIANCE REQUIREMENTS.  If your entity stores, processes, and/or transmits credit card data, you must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). If you are involved in card payment processing, PCI DSS applies to you. This can include all types of entities such as merchants, processors, acquirers, issuers, and service providers. PCI DSS Requirement 6 states you must develop and maintain secure systems and applications. PCI DSS Requirement 6.6 goes into specifics instructing you to ‘Constantly address new threats and vulnerabilities for Internet-facing web applications and ensure that these applications are protected from known attacks.’ It further suggests an option to fulfill this requirement, as “installing an automated technical solution that detects and prevents web-based attacks” such as a web application firewall (WAF). WAFs could also help support compliance requirements for HIPAA, GDPR, and other regulatory frameworks.

As our digital economy continually evolves, review your web application security strategy. Ensure you have the proper WAF for all your external-facing web applications or APIs. Update your WAF configurations to include any changes in your business environment as well as compliance or regulatory requirements.

We can help you incorporate the right WAF for your specific applications and configure appropriately. Conduct an External Asset Discovery should you need support in identifying all your external-facing assets.