Ask HN: Do you use Web Application Firewall (WAF)?
I am wondering if it is worth the extra protection of using a WAF or is it ok to rely on our application code to protect against XSS, SQL injection etc. type of attacks? This is for a new cloud application that we are launching. I am leaning towards using a WAF since this is a enterprise/business application. Also, are there any specific products you would recommend? I have been reviewing how to configure the rules in HAProxy/mod_security but am wondering if it is just safer to rely on commercial product. Any suggestions or experiences? I've always viewed security as a layered approach. The more layers you add, the better protected you are. I subscribe to the thought that nothing is 100% secure, so I would recommend to put as many layers as possible. In my opinion, the issue you should be concerned about is the effectiveness of whatever solutions (layers) you implement. I think it is being accepted by the industry that detection and prevention methodologies based on predefined data (signatures, rules, etc) are only as strong as said predefined data. In layman's terms, it will probably protect you from most unsophisticated attackers, but that's it. Today's most sophisticated attacks are one-off (0day) and/or custom, so they probably won't be defined. In this regard, some of the newer generation security solutions are developing / using smarter detection and protection methodologies (real time adaptive models vice defined positive and / or negative models). I don't mean to paint a negative picture, but I am trying to illustrate the importance of multiple layers. ModSecurity seems to be the preferred open source solution with a more active community than the rest. But Intel and Oracle also have some interesting solutions in this space. As a security expert I wouldn't recommend this approach. The "as many layers as possible" is a waste of time and money (an overkill). A proper threat and risk analysis should be done so you can have a cost-effective solution. Security is expensive and maybe the cost of a breach is way cheaper than the security appliance or experts you hire. Sometimes the best security solution is not to have anything, because it doesn't really matter. To each their own I guess. I would call this the "what you don't know can't hurt you" approach. What would this threat and risk analysis be based on? Known threats? Unknown threats? How can you quantify "proper"? In my opinion, if the threat could actually be defined, then there would be no security industry. Everyone would know the answer, and everyone would be secure. The reason this industry exists is because you cannot define the threat, it is constantly evolving. Doing nothing because it does not matter (really?), or justifying a lack of security by lowering the value of the customer's data sounds like an unprofessional approach. I've used Mod_Security previously and I must tell you it is quite efficient against basic types of attacks. Being a penetration tester, I would suggest that you implement mod_security preliminary and test your product for vulnerabilities. I don't think WAFs are worth the maintenance headache. I help manage a pentesting firm. Once in a blue moon, we'll get a target with a WAF installed that can't be disabled for the test, and it's never more than a speed-bump. Generally: I wouldn't bother. If you're going to do something WAF-y, my recommendation would be modsecurity. Since ours is a business SaaS application that will be utilized by other companies, I believe there may also be commercial benefits of having a WAF. Eventually, we may need to do a formal security audit and penetration testing but it seems to me it would help to tell customers that we are using a WAF as part of our infrastructure. Is that possible? Not that a WAF is some sort of magic bullet, and it does require significant investment to properly configure and run, but wow am I ever tired of hearing this. Yeah, the pentest guys (multiple firms) we retain always whip their cock out and tell us how easy it is for them to beat the WAF, that it only stops script kiddies, how we should spend more money on what their selling, etc. Then I compare our internal risk assessment with their pen-test results and find they don't find nearly all of the issues we know exist, and can only exploit a fraction. We usually get a claim of total victory supported by some line about "if we had more time, we'd certainly be able to exploit this issue" or "determining the complete exploit for this issue is outside the scope of this engagement". Sure thing, sport. The only time they really rendered the WAF ineffective is when we give them so much non-public information that if an attacker had it, we'd have much, much bigger problems. A WAF is like insurance, most of the time you wont need it, but its good to have when the s*it hits the fan. While you can rely on your app to have its own security, it never hurts to have extra (unless latency is a concern). I'd start with an open source version and move up to a commercial product if its necessary. I use mod_security for personal sites and Cisco NetScaler as a WAF, load-balancer and SSL offloader at work. If I was given the choice, I would use HAProxy and mod_security as I'm not too impressed with NetScaler.