In the event that you have a WAF in place and are hacked (likely, in the scenario where you have implemented the solution in monitoring/listen-only mode), the collection of the post data will be your primary evidence source that indicates how your application was exploited. This information is critical in your investigation and remediation efforts because you must always identify the “how” so you know “what” to fix.

WAFs are only as effective as the engineers who manage them. You can’t simply turn a WAF on using default policies without impacting legitimate traffic. Nor do WAFs come out of the box with custom policies for input sanitization, so you need skilled security engineers to manage the solution in partnership with the development staff. WAFs are also more effective when integrated with a web application vulnerability detection service such as WhiteHat Security, so the highest levels of your technology organization must buy into the solution. This is a budget use case you can win if you factor in the cost of a breach (largely determined by the data set you are protecting and record quantity), and the deductible of your cyber insurance policy. Note that your policy will likely increase significantly if invoked in a disclosure scenario.

Many organizations, especially those with high data protection requirements and low sensitivity for latency, are opting for WAF management services instead of managing the policies in house. WAF engineers can implement and fine-tune policies faster than an in-house engineer because they are dedicated to monitoring the solution and know the product inside and out.

A Day in the Life of a WAF Administrator

Continual management efforts shaping WAF policies are not typically driven by attacks, rather they are driven by application changes, especially in accelerated application development environments. A WAF administrator must review and analyze logs for policy violations and respond with changes that could permit legitimate traffic—or not, if they’re seeing false positives. If you don’t want your limited security engineering resources focused on managing policies to keep up with rapid application changes, and you can’t afford application performance hits or feature disruptions while waiting for a policy to get updated, it’s a good idea to look into outsourcing these operations to a managed service provider. When it comes to attack use cases, your WAF administrator should be making special alerts and configurations for attack types that appear like legitimate traffic to the WAF, such as brute force and bot/web scraping. Advanced administrators will develop custom signatures to protect against identified vulnerabilities for which out-of-box signatures do not exist.

UGC Best Practices

In regards to input sanitization flaws with user-generated content, you should only relax your policy—to allow approved content types in—within the particular user-generated content portion of the app. This introduces the least exposure to the app while allowing the business process to function. Some of the defenses applied against user-generated content (in line with OWASP guidelines) are as follows:

1. Prevent file upload of executables
2. Prevent *nix command-execution in the web application
3. Prevent upload or execution of scripts in web forms unless specifically allowed
4. Prevent file upload modification from an accepted file type to a non-accepted file type
5. Strongly advise customer to not allow public Internet-access to the admin page

Conclusion

Community and social engagement features have become the online experience standard. When you allow users to create a profile, add a picture, ask a question, or enter a comment, they are adding to your website. It is your responsibility to ensure they cannot leverage this capability to inject malicious code. Consider it a cost of doing business online.

Implementing a WAF is a good first step to protect yourself, as long as it is properly configured and managed by your security engineers and development staff. Development involvement is critical so that web application updates can be made where needed and you inadvertently relax your policies to the point that they’re effectively disabled. Managed WAF services are a preferred alternative for some organizations because they provide around-the-clock monitoring and remediation by security experts and don’t require you to have the in-house expertise or redirect one of your senior engineers to manage it. Whatever approach you choose, it is effort well spent.