The WAF Appliance Struggle is Real in a Cloud Native World

The Trabant, a once popular car in the former Eastern Germany, is emblematic of both inferior technology and failure since it’s often associated with the collapse of the Eastern Bloc. Produced from 1957 to 1991, the Trabant was slow, poorly designed, and badly built. It may have transported passengers from point A to B, but not competently or safely. Models produced in the ’80s lacked basic features like a tachometer, headlights, turn signal indicators, fuel gauge, rear seat belts, or an external fuel door. During its production run, a buyer’s dilemma arose where “good enough” was actually sufficient and consumers put themselves at risk. Other car options were only marginally better due to a captive market and lack of innovation.

Aside from collectors who drive them occasionally as unique oddities, Trabants now hang in museums as a reminder of what happens to products that lack features and fail to provide a baseline of effective functionality.

A similar buyer’s dilemma is happening now with application security as CISOs and their security staff realize that “good enough” is not enough when it comes to providing effective layer 7 web security. WAF appliances — either hardware or virtual — may tick the compliance box, but in an era of cloud native applications, they have issues from ineffective protection that won’t scale to maintenance costs. In this post, we’ll dive into why WAF appliances struggle to provide adequate protection in cloud environments and how a next-gen WAF with new approaches to application security provide a highly-effective alternative.

Loyalty Driven by Compliance

Let’s get this simple truth out of the way: in the past, organizations purchased a WAF to just meet PCI regulatory compliance and not for their inherent security value . They were a means to pass an assessment when the auditors paid a visit. Over time, PCI compliance became table stakes in the WAF security segment, but legacy appliance WAFs continued to hang around as an outdated technology that was propped up by legal need. There was a false sense of security without actually doing much to defend against layer 7 attacks.

Acting essentially as a filter, appliance WAFs sometimes blocked legitimate traffic, but for IT stakeholders seeking relief from the flow of bugs, that was an acceptable trade off. A minimal level of protection at the application layer where they needed assurance in order to meet PCI compliance requirements. PCI requirement 6.6 states that an organization either installs a WAF or performs code review with every change to an application. The latter option obviously means most organizations interpreted this situation as a mandate to invest in a WAF. The alternative of further utilizing development resources just to meet compliance was not palatable.

The Inherent Scalability, Performance and Maintenance Issues of Appliance WAFs

Legacy WAFs rely on signatures and regular expression matching (regexes) to determine if HTTP requests are malicious. The WAF compares each request to the available signatures and blocks matching requests. Therein lies a performance issue: there are millions of potential signatures and new ones introduced on a continual basis. Now think about how many web requests even a rudimentary web application can receive during high traffic periods and you begin to see a scalability issue. Sequentially checking all available regular expressions creates significant performance impact: the ruleset continues to grow as new signatures are introduced.

Those rule sets must be configured and tuned every time a code change is introduced — per application. That means cost is incurred for ruleset maintenance: a staff member must dedicate a significant portion of their time to maintaining and tuning rules.

Moreover, after all that work, most companies with an appliance WAF run it in passive, monitoring mode only. Why? Blocking mode has high false positive rates and breaks legitimate traffic. Sure, the appliance WAF can log traffic, but someone has to review the logs manually for an attack event or review alerts each time one is flagged. That’s a lot of noise to filter through to determine if a real security event has occurred.

What if you get this message from your Risk and Compliance Manager? “The third-party compliance auditors are coming! Put the appliance WAF in blocking mode to get that box checked and then turn it off when they leave!” Unfortunately, running that appliance WAF in monitoring mode only succeeds at generating a false sense of security — not effective security controls.

Learning Mode Cannot Match the Speed of DevOps

In an effort to reduce false positives and avoid blocking valid traffic, legacy appliance WAFs provide a “learning mode” in which the WAF learns normal traffic patterns so it can recognize bad traffic and enforce the ruleset and thus provide protection. This is easier said than done, especially in production environments — there are few shortcuts and they all require time. Legacy WAFs require a certain amount of traffic review before they can tell the good from the bad and block illegitimate requests.

With the rise of Agile and DevOps methodologies, deployment speed is ever increasing due to the demands of innovation required to attain and keep an edge in the market. Application code changes weekly, daily or even hourly. Modern deployment cadences that require putting a legacy WAF in learning mode on every code change means you’ll always run your appliance WAF in learning mode. You’re putting your organization at a disadvantage with antiquated technology that just can’t keep up with the pace of modern software production.

In order to deal with the constant change inherent in a Continuous Integration and Deployment model (CI/CD), most signatures are run in passive, non-blocking mode to avoid breaking an app or otherwise interfering with request processing.

To combat this situation with WAF appliances, most companies run the bare minimum number of rules to get by. So only the most obvious and most egregious attacks are caught, while everything else just sails right past, including requests from malicious actors. Simple rules mean easy-to-bypass rules, leaving you with an ineffective WAF — and attack exposure.

A Next-Gen WAF Effectively Monitors and Protects Applications Wherever they are Deployed

So what defines cloud native application security that’s effective within the context of a CI/CD model where apps are deployed to the cloud or a hybrid of on-premise and cloud? Before answering that, we need to point out what may be obvious to some in the industry: how software is designed and deployed has changed significantly since legacy WAFs were first introduced. Web apps were simpler and relatively self-contained two decades ago, but have since become more capable and complex. Now we’re seeing the process of software decomposing where tertiary functions and features that do not need to run at all times are being separated out from the central functions of the application. APIs and microservices allow applications to be flexible, perform faster, more efficiently. As serverless computing becomes more ubiquitous, we’ll continue to see an emphasis on new app functionality independent of the platform and environments they operate within.

Effective Cloud Native Application Security Defined

It’s a given that your app footprint will live in various environments and expand over time. Modern software architecture demands automated attack coverage that provides granular, application-specific defense without a lot of effort, regardless of where you deploy them. On the flipside, legacy rules-based Web Application Firewalls (WAFs) simply weren’t built for modern applications that can span from on-premise to the cloud. A next-gen approach embeds protection alongside the application and provides instrumentation that will provide protection and visibility into how your applications are being attacked — and block malicious requests.

We’ve written extensively in past blog entries about Signal Sciences advantages over legacy WAF offerings to directly address the issues of performance, scalability and maintenance raised here. We offer the following as key characteristics that define a next-gen WAF. We have more reasons to share with you, but let’s focus on those germane to WAF appliances’ struggle in the cloud.

Protect Your Apps in Production Without Breaking Them

Effective application security provides effective, automated defense in a production environment with no false positives: 95% of our customers can do that due to our threshold approach to blocking. With threshold blocking, we don’t make a decision on each request like legacy appliance WAFs, but instead inspect suspicious payloads over time and with context to determine whether an actual attack is occurring. Our patented approach analyzes over 200 billion weekly production requests with no noticeable performance impact on the applications and APIs we help our customers protect.

Automated Blocking that Scales Without Rules Tuning

As mentioned, legacy WAFs require a learning mode and constant signature tuning to rule out false positives while blocking rules are completely turned off for fear of breaking the application. With SmartParse, Signal Sciences virtually eliminates false positives. SmartParse is our proprietary detection method designed to make instantaneous, highly accurate decisions to accurately determine malicious or anomalous payloads are present in web requests. With SmartParse, our customers can scale protection from on-premise to cloud environments without dealing with the maintenance overhead — and the associated cost — that legacy WAF appliances require.

Forward Thinking and Effective Web Application Protection

There’s no reason to stick with an outdated, ineffective, and costly WAF appliance. There’s more than just upgrading to “this year’s model.” With a next-gen WAF like Signal Sciences, there’s no buyer’s dilemma: our application has proven itself in production environments for some of the world’s biggest brands. Designed by practitioners who experienced the disadvantages of legacy WAF technology first hand in the development and security trenches, our technology will scale effectively as necessary to meet the demands of business growth.

Effective web application protection and compliance are both possible with our Next-Gen WAF (NGWAF) and Runtime Application Self-Protection (RASP) technology that provides application-aware defensive coverage. Instead of just checking a box for PCI compliance, you can empower your DevOps and security teams to proactively defend against the OWASP Top 10, account takeovers, business logic attacks, malicious bots, all without interfering with legitimate customer traffic.

We invite you to discover how Signal Sciences next-gen WAF can help protect your most critical web applications, APIs, and microservices. Request a demo today.

Photo by Sarah Phillips on Unsplash

Originally published at labs.signalsciences.com.