Why WAFs leave you adrift in the treacherous waters of cybersecurity

In the ever-shifting currents of the cybersecurity ocean, debates about the relevance and effectiveness of various defense mechanisms continue to surface, much like a ship's course correction. One such debate centers around the fate of web application firewalls (WAFs). While some still argue that WAFs are vital anchors for protecting web applications, others declare them pointless. 

At Contrast Security, we think that WAFs are crying out to be replaced by Runtime Security in the cybersecurity armada. 

While people are still using WAFs to protect their apps, the problem is that they don’t work, for one good reason:  They can't protect against attacks from back-end systems. Neither can they protect against SQL injection attacks such as the recent MOVEit breach. We’ve known about these attacks — in which SQL query strings can be directly passed to the back-end database of a Web application — for 25 years. SQL injection is still on the Open Worldwide Application Security Project (OWASP) Top 10 list of security vulnerabilities, and it’s still a constant threat — one that WAFs can’t stop. 

WAFs are too noisy, as well, spouting a constant stream of false negatives and positives. That’s because they sit at the front of your infrastructure, where they can’t take into account its ephemeral nature. Modern systems are not only bigger but also far more interconnected, modular and distributed. Legacy tools, including WAF, were built for a simpler time. They focus on individual pieces of a system. Today's complex environment requires a holistic view, with a unified approach that can navigate the multifaceted structure of modern applications: one that’s constantly shifting, given the realities of dynamic, cloud-based or containerized environments.

Given this complexity and a skyrocketing number of vulnerabilities, we can no longer afford to concentrate on theoretical risks. The volume and nature of threats demand a focus on what actually runs, what is genuinely exploitable and what is actively being exploited. And we need to know the context, which is crucial in the face of such complexity and threats. It's not enough to know that a vulnerability exists; we must understand how it fits within the larger system.

With countless potential issues, the ability to discern what truly matters becomes essential. The right context allows us to prioritize effectively, focusing on the most significant risks without becoming overwhelmed by the sheer volume of possibilities.

The evolution of cyber threats: Navigating uncharted waters

1. False positives and negatives: Hidden shoals and false beacons

The digital seascape has witnessed a significant transformation over the past decade, with attackers becoming as cunning as pirates. They employ advanced techniques to exploit vulnerabilities in web applications, much like pirates hunting for treasure. Traditional WAFs now struggle to navigate these treacherous waters.

One of the primary criticisms against WAFs is their tendency to raise false alarms and provide false security. False positives occur when the system incorrectly flags legitimate traffic as malicious, causing unnecessary disruptions and potentially driving away genuine users. Conversely, false negatives happen when the WAF fails to detect real threats, allowing attackers to breach the system undetected.

These inaccuracies can create a turbulent user experience, making it difficult to distinguish friend from foe and wasting enormous amounts of time doing so. Organizations relying solely on WAFs find themselves constantly battling against false alarms and losing trust in their security systems.

2. Limited protection scope: Shallows and dangerous reefs

WAFs are primarily designed to protect against known web application vulnerabilities and common attack patterns. However, the cyber threat landscape has evolved to include more complex attacks targeting zero-day vulnerabilities and employing advanced evasion techniques. In such perilous waters, WAFs often struggle to provide adequate protection, as they lack the ability to navigate such uncharted depths.

3. Complex configuration and management: Navigating through stormy weather

Implementing and managing a WAF can be as challenging as navigating while wearing a blindfold. Organizations need to fine-tune the rules and configurations to minimize false alarms and ensure that legitimate traffic isn't blocked. This task requires a deep understanding of both the application and the WAF technology. Smaller organizations with limited resources may find this a daunting challenge.

Moreover, as web applications evolve and change over time, the WAF rules must be continuously updated to stay effective. Failure to do so can leave applications vulnerable to emerging threats.

Alternative solutions: Charting new courses

In light of these challenges, some cybersecurity experts advocate for exploring alternative solutions to WAFs. Alternatives on the horizon include these technologies:

1. Behavioral analytics: Navigating by the stars

Instead of relying solely on predefined rules, some organizations navigate by the stars of behavioral analytics. This approach involves monitoring user and application behavior to identify anomalies that may indicate a potential attack. Behavioral analytics can be more effective at detecting unforeseen threats and the maneuvers of cunning adversaries.

2. API security: Protecting valuable cargo

As organizations increasingly rely on application programming interfaces (APIs) to transport valuable digital cargo between applications, API security has become critical. Solutions such as Contrast’s API Security Testing Platform can protect against API-specific vulnerabilities and attacks.

3. DevSecOps: Seamanship for the digital age

DevSecOps is the proactive approach of integrating security into the development process. It involves continuous testing and validation of code to ensure security from the ground up. By addressing security concerns during development, organizations can reduce their reliance on post-deployment defenses like WAFs.

Navigating the ever-changing cybersecurity seas

It’s clear that WAFs alone are insufficient to navigate the diverse and treacherous waters of web application attacks. To enhance security, organizations should consider charting new courses, embracing a multi-faceted approach that includes behavioral analytics, API security and DevSecOps practices.

As threats continue to evolve, so too must our defensive strategies. WAFs are no longer the sole guiding star in the complex web Application Security (AppSec) voyage. In the relentless battle against today's sophisticated threats, Runtime Security emerges as the undisputed champion, rendering WAFs essentially obsolete.

Contrast Protect RASP will bail you out

In short, there’s no reason to run a WAF. Instead, organizations must turn to Runtime Security protection.  Contrast’s Protect RASP technology is production application and API protection that blocks attacks and reduces false positives, helping developer teams to prioritize vulnerability backlogs. It’s superior to WAFs because it's instrumented to defend applications from within. 

And no, it can’t protect your organization from distributed denial of service (DDOS) attacks: That’s the job of your cloud service provider. But when it comes to protecting your applications, you can trust Protect. 

WAFs are belly-up. Replacing them with Contrast Protect enables your organization to:

Block attacks against 0 days: i.e., vulnerabilities that haven't yet been fixed or patched. Unlike perimeter defenses, instrumentation and sensors accurately detect and block runtime application attacks. They give you a firm yes or no regarding whether the exploit reached its target. As well, Protect shields your applications  against many zero-day attacks without tuning or reconfiguration.

Game-changing forensics: Contrast Protect gives your AppSec, SecOps and Dev teams accurate, detailed information: the lines of code, queries executed, files accessed and more, leading to faster remediation.

In a world where cyber threats evolve faster than ever, relying solely on WAFs is akin to bringing a leaking lifeboat as you sail into a tsunami. The undeniable truth is that Runtime Security stands as the guardian of the digital realm, armed with the tools and capabilities necessary to repel the most cunning adversaries. 

Organizations must recognize the paradigm shift and embrace Runtime Security as the pinnacle of defense in an era where compromise is not an option.

Read more: 

• Contrast API Security Testing Platform
• Hands-on testing and protecting APIs (virtual workshop) 
• Defense-in-depth web AppSec: The case for having both RASP and WAF (white paper)
• The Future of API Security (webinar)
• Protecting Apis: An Uphill Battle (white paper)
• Building a modern API security strategy: A five-part series — Overview
• Building a modern API security strategy — API inventory
• Building a modern API security strategy — API protection
• Building a modern API security strategy — API testing
• Building a modern API security strategy — API components