Web Application Firewalls: The Top 10 Security Challenges and How to Meet Them

From IC Insider Thales Trusted Cyber Technologies

By Bill Becker, CTO, Thales Trusted Cyber Technologies

Web applications are the entry point to an organization’s data, which makes them a prime target for hackers. From attacks that have shut down corporate and government sites, to Distributed Denial of Service (DDoS) in the financial markets, to web breaches that leak consumer and corporate data, cybersecurity incursions are almost constantly in the news. That doesn’t even include the unreported breaches and small-scale online fraud. Unfortunately a hacker’s arsenal of tools – technical web attacks, business logic attacks, and fraud – are generally unprotected by traditional network security systems.

Hacker forums show that favorite methods of cybercrime include tactics like SQL injection and cross-site scripting (XSS). In a report from the Ponemon Institute, nearly two-thirds of organizations experienced one or more SQL injection attacks that evaded their firewall over a single year, with detection requiring an average of nearly 140 days.

And, hackers aren’t stopping at traditional web attacks. Business logic (custom rules or algorithms governing how a user interface operates and interacts with a database) attacks and fraud are also becoming increasingly popular techniques. Hackers exploit business logic flaws to scrape websites for intellectual property, and perform repeated brute force attacks or use wildcards in search fields to shut down applications. Typical application scanners can’t detect business logic flaws and secure development processes may not mitigate them.

Web application firewalls, therefore, can be an organization’s first line of defense to protect applications against threats like technical web attacks, business logic attacks, and online fraud. Unlike traditional network security solutions, web application firewalls understand web usage and validate input to stop dangerous attacks like SQL injection, XSS, and directory traversal. They block scanners and virtually patch vulnerabilities. And they rapidly evolve to prevent new attacks and keep critical applications safe.

Unfortunately, not all firewalls are created equal. Organizations must carefully evaluate the security, management, and deployment capabilities of these firewall products, to minimize threats from back actors.

Let’s look at the top 10 challenges addressed by web application firewall and the features any such solution should provide to mitigate those challenges.

Understanding web applications

Advanced, custom web attacks are on the rise among organizations of all sizes and complexity. With JavaScript and SQL, hackers can create almost unlimited SQL injection and XSS attacks. While signatures can help detect web attacks, they must either be written broadly (resulting in false positives) or they must define the exact syntax of the attack (resulting in false negatives). Hackers can use encoding, comments, and obfuscation to outwit traditional security solutions.

To stop attacks, a web application firewall must understand the protected application, including URLs, parameters, and cookies. Understanding the protected application and validating input helps stop attacks like SQL injection, parameter tampering, and cookie poisoning.

Since organizations frequently update applications, a web application firewall also needs to automatically learn application changes without manual intervention. This makes it easier to manage a web application firewall while providing the highest levels of protection.

Staying ahead of hackers

Hackers are constantly creating new attack tools, developing new ways to recruit volunteers, or honing existing techniques. What’s more, fraud malware developers have architected self-mutating files to evade virus signature detection. Keeping up with the latest application threats—including vulnerability exploits, malicious users, and fraud schemes—is an enormous challenge for application security solutions.

Consequently, a web application firewall must have up-to-date protection. It should leverage live attack, reputation, and fraud data from around the world to identify both attacks and attackers. Security signatures, policies, reputation data, and fraud intelligence should be updated automatically without human intervention.

It is also important to look at the research organization that is producing security content. Is it focused on web application security? Is it equipped to defeat the latest application attacks? If not, it’s time to consider another solution.

Thwarting evasion techniques

Organizations need to block web attacks without blocking legitimate traffic. How do you tell the difference between a cybercriminal and a web user that accidentally submitted special characters in a form field? The answer is through advanced analytics and correlation.

A web application firewall must include an analytics engine that can examine multiple attack indicators to block attacks without false positives. This analytics engine must be able to evaluate factors such as attack keywords, special characters, protocol violations, and known attack strings simultaneously. It should identify violations and then perform additional analysis using risk scoring and regular expressions to differentiate between malicious requests and unusual, but harmless traffic.

The firewall also must correlate requests over time to detect repetitive attacks, such as brute force login or Distributed Denial of Service (DDoS). A flexible and intelligent correlation engine will enable a web application firewall to stop sophisticated hackers without blocking legitimate users.

Preventing automated attacks and bots

Cybercriminals now have access to off-the-shelf toolkits like the Havij SQL injection tool to extract sensitive data. Because of the growth in automated attacks, stopping malicious users is now as important as stopping malicious requests. But correctly identifying the bad guys requires multiple defenses.

Your web application firewall should have real-time reputation intelligence to identify and block malicious traffic before an attack can happen. It should also be able to recognize bots— the automated clients behind most automated attacks.

To reduce network level DDoS attacks, a web application firewall should also include integral support for a high-capacity, cloud-based DDoS protection service.

Recognizing malicious sources

In most cases, malicious web visitors that try to steal data, commit fraud, or take down websites aren’t even human. They are bots that continuously attack one site after another. On the other hand, human hackers are more sophisticated than bots; they use anonymous proxies or Tor networks to hide their identity. Unfortunately, organizations can’t identify malicious users until the damage is done.

A web application firewall must recognize known malicious sources and sites. Because hackers often use anonymizing services, the firewall should detect access from anonymous proxies and Tor networks. It also should recognize users referred from a phishing site. Ideally, the firewall also should be able to restrict access by location, which helps eliminate unwanted traffic and can thwart DDoS attacks from a specific country.

Because web application firewalls can be effective at detecting web-based threats, they should also be able to collect and share information about attacks and attack sources. Intelligence-based solutions are the future of application security.

Patching vulnerabilities virtually

By some estimates, more than 83% of scanned sites have at least one vulnerability. At the same time, fixing discovered vulnerabilities can take 59 days on average, during which time your applications remain exposed to attack. Besides the cost and the time required to fix vulnerabilities, organizations must consider additional hurdles like vulnerabilities in legacy applications and in packaged applications.

A web application firewall must prevent attempts to exploit application vulnerabilities. Defenses such as input validation, HTTP protocol validation, and attack signatures must be able to block most vulnerability exploits out-of-the-box. At the same time, however, organizations need granular control to ensure strict security measures are applied to known application vulnerabilities. Your firewall should integrate with application scanners and build custom policies to virtually patch vulnerabilities discovered in this way.

Stopping malware

Cybercriminals are using their success with online banks to branch out into other applications like ecommerce and bill payment. How do they carry out malware-based fraud? First, they infect machines with malware such as the Zeus or SpyEye Trojans. Then, when infected users log into a targeted web applications such as online banking sites, the malware modifies web pages, performs unauthorized transactions, or steals login credentials

Because web application firewalls sit between web users and applications, they must be able to analyze end user attributes and web traffic patterns to identify malware infection and block malware-infected devices. They must also perform a number of actions, such as monitoring the user for a specified period of time, generating an alert, or integrating with a fraud management solution to open an investigation case. And, they have to do it all without requiring changes to the protected web application.

Eliminating payment and account origination fraud

How can organizations protect their applications against fraudulent users quickly, without expensive and protracted application development projects?

Your web application firewall must be able to integrate with cloud-based fraud security solutions, to analyze a range of user and transaction attributes, including browser irregularities, known fraudulent devices, and suspicious payment information. The web application firewall should correlate fraud risk data with web attack and user information to accurately identify and stop fraud.

Supporting both on-premise and cloud deployment

Application architectures are as diverse and rapidly evolving as application threats. Consequently, a web application firewall must provide flexible deployment and configuration options.

Because many organizations have moved their application infrastructure to the cloud, web application firewalls support virtual appliance solutions for private clouds and cloud-based security services to protect hosted web applications.

Organizations hosting applications on-premise have specific needs of their own. Many require a high performance solution that won’t change existing applications or network devices. Others may need a firewall that can modify content, sign cookies, rewrite HTML. Still others may need non-inline deployment, so IT security teams can ease into inline deployment over time.

When evaluating web application firewalls, it’s important to look for solutions that will support both on-premises and cloud requirements for the foreseeable future.

Automating and scaling operations

Web application attacks can be complicated. Stopping those attacks shouldn’t be. Security administrators should be able to create custom security policies without learning a scripting language. Organizations must be able to centrally manage application security policies and monitor events at a global level. They also need detailed security alerts and customizable reports for monitoring and forensics.

Your web application firewall must have point-and-click security policies. Simple, flexible policy configuration makes initial configuration easier, and simplifies the process for administrators to review security policies.

Besides custom policies, web application firewalls must support centralized management, to help synchronize policies and application profiles across all of their web application firewalls, no matter where those devices may be located.


Web applications drive organizations more today than at any other time in history. Unfortunately, a whole industrialized economy has emerged for hackers, with automated tools to steal data, disable websites and commit online fraud. Network security products like firewalls and intrusion prevention systems are typically not enough to stop these growing risks.

Protecting your assets and improving security means having a web application firewall that fully meets your organization’s specific requirements. Your odds of falling victim to today’s growing range of cyber-attacks are greatly improved when your web application firewall supports the essential capabilities described here.

About Thales TCT

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.

For more information, visit www.thalestct.com

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.