There’s just no way around it: legacy web application firewalls are struggling to keep up in a landscape where applications are developed in different languages and deployed across different infrastructures. As discussed in a prior post, legacy WAF offerings are based on antiquated technology that does not scale adequately yet requires significant maintenance. If your organization is considering buying a legacy WAF appliance (hardware or virtual) you should prepare yourself for little protection in production and lots of maintenance and the associated cost.
The core of legacy WAF inadequacies is this: they were not designed for ever-evolving software development and deployment patterns. We recently released our white paper Modern Applications and Architectures Demand a New Web Application Firewall, which leverages data from across the Signal Sciences customer base. We looked at where and how our customers install and leverage our protective next-gen WAF and RASP technology. The resulting data reveals several key takeaways about what a truly next-gen WAF accomplishes in this constantly changing landscape. A true next-gen WAF:
Deploys across a wide variety of architecture and infrastructure models
Provides reliable protection coverage across a wide variety of web layer attack methods
Meets the needs of any org delivering modern apps on a continual basis
This post summarizes the changes in development, architecture, and infrastructure that point to a certainty: a new breed of web application firewall (WAF) is required to protect digital assets fronted by a web app or accessed via API or microservices.
Evolving Infrastructure and Architectures
With the rise of cloud computing, data centers will continue to be used significantly less in production environments. By 2025, 80% of enterprises will have shut down their traditional data centers. That doesn’t mean all legacy, monolithic applications and infrastructure will have disappeared, but clearly with 60% of all organizations developing apps specifically for the cloud, the underlying architectures used to design applications has fundamentally changed with the move to cloud native.
In modern applications, we see clients, ranging from web browsers to mobile apps, connecting to multiple services to render the application. This move towards a distributed architecture is based on services. Taking an application and decomposing it into a set of services is exactly the approach that a microservices architecture promotes. Bottom line? The decomposition of software means we’ll continue to see applications, API and microservices deployed across a wide range of infrastructure.
Securing Modern Architectures
In an n-tier model, the top tier was considered the best place for a web application firewall (WAF) due to its position in the communication stream. But when every service and API is talking over HTTP to each other and new applications can come online in days, the WAF has to change. To get coverage across all applications, a WAF should be deployed alongside or in front of each service. And this is not just coverage of microservices, but a WAF should also be flexible to protect any tier-based architecture model or microservices model.
High Velocity Software Development
The Agile Manifesto was released in 2001 and since then has rippled across the industry because it results in faster development cycles measured in days, not months or years as commonly experienced in waterfall shops. Agile’s only disadvantage was that it was mostly used by developers and left out the operations teams.
With the rise of cloud computing and Infrastructure as Code, Agile moved into new territory and brought about DevOps. The joining of two disparate groups, devs and ops, meant applications and services would be delivered together. It created both innovation and feedback loop across the entire system resulting in velocity that businesses craved to innovate and stay ahead of the competition. But with the evolution of software development practices, we have to change how we implement defense.
Staying Secure at the Speed of Development
The previous generations of web application firewalls required a tuning period. After every change to your application, the WAF would be put into “learning mode” which would allow it to learn what the normal actions for the application are over a period of time. At a minimum this learning period was usually recommended to be several days in length but some vendors asked for weeks to get enough sample data. This might have been acceptable for waterfall development, but with the rise of Agile and DevOps, this just doesn’t work.
A Next-Gen WAF defends Apps in Any Architecture, Infrastructure, or Language
The core premise behind WAFs–stopping application security attacks–is more relevant than ever with web application attacks continually being the number one source for data breaches over the last five years. But the modern application looks nothing like it did a decade ago, so legacy WAF defense based on yesteryear’s defense just won’t cut it in the context of the changes we outlined previously. Instead of deploying defenses at one spot only in your system, you need to split up the WAF and put the defense where applications live.
There are three main reasons customers choose Signal Sciences to defend their web systems:
Our solution works for any architecture that our customers use to develop and deploy their apps, APIs and microservices from cloud to on-prem to containers.
Our automated protection works out of the box without rules tuning and virtually no false positives: this is why 95% of our customers use Signal Sciences in blocking mode in production.
We empower DevOps, Security and Operations teams with feedback loops to share actionable information to all groups that need visibility.
Signal Sciences can be used in any combination of cloud provider, datacenter, web server, load balancer, language, or container orchestration framework. Because of this breadth, Signal Sciences provides visibility, actionable insights and automated blocking to stop application attacks before they start. These capabilities are validated by our customers whose collective testimony resulted in Signal Sciences distinction as a Gartner Peer Insights Customers’ Choice for the Web Application Firewall category.