If you’re reading this then you are probably asking yourself, what is a Web Application Firewall (WAF)?
Does my company need one, and how much is this going to cost me?
You’re not alone
Like many others, we’ve found that a lot of cyber security companies are quite happy to give you all the technical information, which is great.
But for someone who is not so tech-savvy or clued up on web application firewalls, this can be quite overwhelming.
With so much information being thrown around no one really addresses the elephant in the room.
Does my business really need a WAF?
So I’m going to try my best to explain Web Application Firewalls, the benefits, the costs, and most importantly if your business will really benefit from having one.
A Web Application Firewall (WAF) helps protect web applications such as websites from malicious cyber attacks.
It does this by filtering and monitoring HTTP traffic that comes to the web applications via the internet.
An easy way to imagine it is like this, you have your website this is the web application and the HTTP traffic, that is the people visiting your website.
A WAF sits in the middle and acts as the doorman and decides which users can visit the site, and which can’t.
How does it know who to let in and who to turn away?
Well like any doorman you have rules in place as to who can come in and who can’t.
These are called WAF policies and we use these to tell the doorman (WAF) specifically who to let into our website.
Now there are many different cyber threats out there and a WAF can only do so much.
Here are some of the main threats a WAF can protect you from.
SQL injection is one of the most common web hacking techniques and a malicious one at that.
Structured Query Language (SQL) is a language used in programming to manage data held in a database.
select * from Users where (username = ‘submittedUser‘ and password = ‘submittedPassword‘);
Malicious users to your site can inject this code into a form on your website and delete, edit or worse extract data which if you have your web users’ personal information on your system could be a big issue.
Another common cyber attack is Cross-site request forgery (CSRF), also known as session riding, XSRF, and sea surf.
This is a sophisticated attack in that it tricks your web users into performing unwanted actions on your website when a user is logged into your web application.
This kind of attack can be devastating for the business and the end-user.
Cross-site scripting (also known as XSS) allows a hacker to compromise the interactions that users have with a web application.
It allows a hacker to circumvent the same-origin policy, which is designed to segregate different websites from each other.
Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user.
They can carry out any actions that the user can perform, and access any of the user’s data.
If the victim user has privileged access within the application, then the attacker might be able to gain full control over all the application’s functionality and data.
WAF prices vary from vendor to vendor, some offer a fully managed service, where they will monitor your web applications 24/7 and configure it correctly from the start.
This ensures that your policies (rules) for your web applications to filter traffic are set up correctly.
For a fully managed service, prices start from around £175 a month.
Try finding a site with an online WAF pricing calculator so you can find out how much the monthly cost will be.
The other option is to manage a WAF yourself.
Whilst being a cheaper option, my issue however is if you don’t understand the cyber security threats that are out there and keep on top of the new ones the WAF won’t be very effective.
A WAF by default will protect your web applications from a lot of cyber security threats out there.
However having a cyber security expert look for vulnerabilities in your infrastructure and configure your WAF to stop hackers in their tracks, now that is real peace of mind in my books.
If going down the self-managed WAF route you will also need to take into consideration training.
The person managing the WAF will need to know which cyber security threats are currently out there and keep up to date with any new ones.
A fully managed WAF service takes the pressure off and saves you money in the long term on staff training and salary.
Every business is different, and what it really boils down to is what web applications do you have in place.
For this I am going to look at two different types of website examples, ones with data behind the scenes, and ones without (brochure websites).
Are you a business that has a website with no real functionality, except for maybe a contact form for users to send you enquiries via email (not stored in a database).
Then you probably won’t benefit from having a WAF.
If this is you then you probably pay to have your website hosted from a third-party hosting company such as Go Daddy or LCN.
A lot of these hosting sites already have basic firewalls in place anyway so you should be ok.
I say should be ok, but there is always a risk.
If you have nothing to really offer a hacker, such as personal data or transactional data to exploit, then there isn’t a lot of harm an attack can do except maybe deface or delete your site.
If that is the case make sure you back it up.
It’s always best to check with your hosting provider to see if they run automated backups of your website.
Lets say you run a website that does the following;
- Takes card payments
- Has access to personal data
- Has an admin portal
- Is hosted on your own server
Then quite simply, GET A WAF!!
A data breach is a company’s worst nightmare.
Let’s look at British Airways for example, in July 2019 they were slapped with a £183M fine from the ICO for a data breach.
This breach saw 500,000 customer records being compromised.
Now you’re probably thinking that British Airways are a huge company which is a hacker’s dream if they can get in, right?
True, but hackers will pray on the little guys more often than not.
With the ICO having the authority to charge up to 4% of a company’s turnover for a data breach you can see why cyber security is so important.
Another thing you will need to consider if your handling card transactions within your web application is PCI compliance.
It is a requirement by the PCI DSS to have a WAF in place to help combat cyber-attacks on your website.
PCI is a legal requirement for all companies that deal with card transactions on their web applications.
So what have we learned?
- The basic functionality of a Web Application Firewall
- How much it will cost to run
- If a WAF is the best fit for my web application
Are you still scratching your head?
No problem get in touch with us and let’s discuss your web application infrastructure and establish if you will benefit from having a WAF or not.
Maybe you have questions about your internal infrastructure as well in which case a cyber security review may be the answer you’re looking for.