Web applications and websites are desirable targets of cyberattack. Unprotected web applications can give hackers access to an extensive pool of user data or the ability to distribute malware to a large number of people. To protect your clients, their networks, their customers and their data from cyberattack, you need to deploy an end-to-end security solution that includes a web application firewall (WAF).
Managed services providers (MSPs), value-added resellers (VARs) and other solutions providers, however, need to observe WAF best practices — from the sales process to delivering ongoing services — to provide their clients with the highest possible level of security.
WAF Sales and Planning
Nitzan Miron, Vice President of Product Management, Application Security Services, Barracuda, advises taking a consultative sales approach. “It’s the preferred way to engage with a customer due to dynamic nature of applications,” he says.
A practical approach is to use a vulnerability scanner, such as the Barracuda Vulnerability and Remediation Service (BVRS), which can scan applications and generate a detailed report of existing vulnerabilities. This information can not only demonstrate the need for a WAF but also prioritize implementation of the business’ security plan.
Miron stresses that the WAF is only one part of that plan. “In a converging world, well-integrated solutions can greatly benefit overall security posture, reduce latency and increase performance.” For example, the Barracuda WAF, when deployed with Barracuda CloudGen Firewall (CGF), enables blocking at CGF layer as compared to Layer 7/WAF, making the combined solution more efficient.
He adds that MSPs and VARs should also implement solutions with advanced features such as distributed denial-of-service (DDoS) and bot protection to build an effective approach to security.
Miron reminds MSPs and VARs that no two applications are alike, so WAF policies should be fine-tuned specifically for each application. It’s also essential to ensure that the solution meets each business’ compliance needs.
Continuous Testing of WAF
In addition to identifying and mitigating risks when deploying a WAF, vulnerability scanning should be an ongoing process. Miron says the frequency depends on how quickly applications are expected to change. “In agile environments where applications change often, a vulnerability scanner becomes an important piece in ensuring continuous application vulnerability monitoring and remediation. A WAF should not only be application- and compliance-centric — for a comprehensive application security posture, DevSecOps processes should also be taken into account when configuring WAF,” he says.
Miron adds that because change is constant, testing is a must throughout the lifecycle of applications. “New code, bug fix or outdated library — with so many variables, continuous testing helps uncover vulnerabilities and fix them in a timely manner,” he says.
Additional Web Application Firewall Best Practices
Miron adds that MSPs and VARs can add value and optimize WAF performance with these three best practices:
- Test WAF policies to ensure that legitimate traffic is not blocked.
A web application firewall is meant to block malicious traffic, but it may occasionally block legitimate traffic. This may mean that your client may lose an opportunity to engage a customer or prospect, but it can also mean the WAF is working unnecessarily hard and using too many resources. Evaluate and test policies periodically to ensure optimal performance.
- Periodically generate reports for adherence to compliance standards.
Some regulations that certain businesses or organizations need to comply with, such as The Healthcare Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS), require a WAF. You can add value by providing your clients with reports that show they meet regulatory requirements and make it easier for them to document compliance.
- Ensure proper measures are in place to defend against automated attacks.
Some web application firewalls alone are not enough to detect and defend against automated attacks. Ensure the WAF, as a part of the total security solution you implement for your clients, provides protection from bot attacks.
How Does Your WAF Stack Up?
It takes the right tools to support WAF best practices. OWASP offers evaluation criteria to help you find a web application firewall that will deliver the most value and the highest level of protection.
You can also learn more about the WAF solutions available in our Web Application Firewall Product Comparison.