Skip to content

Top 5 Challenges Securing Applications with Web Application Firewalls


Application Security teams have very few options when it comes to defending their applications in production. Specifically, they struggle to get value from their firms’ Web Application Firewall (WAF) implementations, currently their only viable alternative. As their organizations adopt Agile / DevOps and constantly change the application and migrate to the cloud, the problem is exacerbated.

The challenges we consistently hear are: 

1. Alert fatigue & no blocking: AppSec teams can be overwhelmed with too many WAF alerts or falsecity-night-lights-web-application-firewall.jpg positives. This is primarily because Web Application Firewalls sit outside the app and do not know what the application is vulnerable to. Hence, it is hard to know what attacks are real and what are false positives. Given the high false positive rates, many customers do not run WAFs in blocking mode.
2. Long investigation times: Web Application Firewalls do not offer enough context to application security teams to effectively investigate incidents. They see no data beyond the HTTP request, so it is hard for the SOC or Application Security to get context about a specific piece of suspicious activity.
3. Missed attacks and false negatives: WAFs miss "hard to signature" attacks and give you no context: (e.g., XXE, Regular Expression DoS, Java Deserialization).
4. Struggles with Agile / DevOps: AppSec teams have to constantly update WAFs in environments with frequent code changes. We see this at customers practicing Agile / lean development and DevOps and doing regular code deploys.
5. Deploying in the cloud becomes very expensive: Some customers used a Web Application Firewall that did not offer a suitable cloud deployment. In other cases, the customer could not scale their WAF policies easily with their application. With each instance or code change, they had to modify rules manually or deploy additional devices.

Ultimately, these challenges stem from the fact that WAFs were purpose built for monitoring the perimeter, not the application. Hence, they are good at perimeter based protection, but not application based protection. Also, with the move to the cloud, as the perimeter has disappeared, they have struggled to adapt.

Finally, given the historically contentious relationship between engineering and security teams, Application Security teams need a better way to secure the production environment of an application. This is especially relevant when protecting legacy applications that may have limited to no engineering resources to build security controls into the application or fix vulnerabilities in source code.

How well is your WAF protecting your app?  

I would ask the following questions to know how well your WAF protects your app:

  • What do I know about the state of my production app?
  • Do I know what attacks I am vulnerable to?
  • Is my WAF in monitor or block mode?
  • How often do I have to update WAF rules?
  • How am I going to protect my apps that move to public cloud infrastructure?

Contrast Security solves this complex problem with Contrast Protect, a bold new secure technology platform, that transforms application security by making software self-protecting. Intelligent Contrast agents are injected into the code, instrumenting applications with thousands of smart, agile sensors that detect and correct vulnerabilities before deployment, and protect the software applications in operation. No legacy security tool can protect every application. But a tenacious army of intelligent Contrast sensors can.

Mahesh Babu

Mahesh Babu

Mahesh leads Product Marketing for Contrast's Application Security Platform at Contrast Security. He takes every opportunity to tell everyone how Contrast has fundamentally changed application security for the first time since he started working in security 10+ years ago. Mahesh has seen the industry evolve as a researcher, consultant, and practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large security & privacy programs a Senior Manager & architect for HSBC Information Security & Risk. He also spent time as a consultant at Deloitte and Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.