We hear often from customers who replace a legacy web application firewall (WAF) with Signal Sciences next-gen WAF about why they made the switch. Almost always, those reasons are a variation on the following themes:
- Legacy WAF costs too much to maintain: regular-expression based WAFs require dedicated headcount to create, test and maintain rules as the codebase changes overtime. Any fast-moving development team that wants to gain market share with new features and functionality will iterate and release often.
- Legacy WAFs are black boxes: they do not provide adequate context around why they block web requests and thus they don’t provide much security value in terms of understanding attacker tactics.
- They produce too many false positives: related to item one, additional cost is incurred as security or operations staff chase down the veracity or cause of false positives making it hard to justify running a legacy WAF in blocking mode in production. If you’re running a WAF in monitor-only or “learning” mode, you’re not getting security value out of the investment and ongoing maintenance cost.
Few security experts would dispute the fact that legacy WAF appliances—hardware or virtual—can’t keep up with today’s rapid codebase changes and release cycles. Meanwhile, stories of successful breaches caused by web layer attacks like account takeover hit the headlines regularly. Overburdened security and operation teams must deal with a wide range of issues every day, so having a legacy WAF in place that generates too many false positives is not helping the cause of solidifying an organization’s overall security posture.
The process of evaluating and choosing a replacement for a legacy WAF can be summarized in three overall steps:
Step one: know the pitfalls of legacy WAF
There are key differences between legacy and next-gen WAF: you should look for advanced web attack protection that does not negatively impact your business operations or create blockers for the development cycle. Many solutions can either unnecessarily block legitimate web requests and/or degrade performance. If the legacy WAF goes down for whatever reason, your apps will be reachable by customers. And as mentioned prior, legacy WAF appliances also require significant maintenance costs.
Step two: understand the capabilities of a true next-gen WAF
Don’t accept vendor claims at face-value and make sure you know what you’re getting. Claims of “next-generation” web app security are plentiful, but it’s important to validate what the vendor is promising. Use relevant customer references, case studies or take advantage of a product demo if one is available. Net-net, you need to get answers to key questions such as:
- How does the WAF block web attacks in production?
- How does the WAF integrate and power the DevOps lifecycle?
- Is the production observation and feedback easily understood and actionable?
- How quickly can the WAF be installed? Hours? Or days and months?
- What are the key detection and prevention capabilities?
- Does it offer protection beyond OWASP Top 10 injection attacks?
- Can the new WAF solution help maintain compliance from HIPAA to GDPR and SOC2?
Step three: identify what’s necessary to replace a legacy WAF
Don’t underestimate the importance of fast-time-to-value: the sooner you can deploy web layer protection in production, the sooner your organization will realize security value from the WAF investment.
If the WAF solution is going to take months to deploy and requires complex management that will consume IT resources, it may not be worth pursuing. Organization invest heavily in a solution only to abandon it and replace it with a next-gen WAF like Signal Sciences: when stakeholders see the solution being used only in “monitoring” mode because it’s too resource-draining to operate on a continuous basis, they know it’s time to move on. The infographic below will walk you through the overall steps to replacing a legacy WAF, or alternatively show you how easy it is to deploy and gain security value from a true next-gen WAF.
Our award-winning next-gen WAF was built to provide effective web protection and fast time to value. Your development teams can use the production feedback to harden their code prior to release and security teams can defend those apps upon deployment to production with superior automated protection. Request a demo today to learn more from one of our application security experts.
(Clicking or pressing on the image will open it in a new browser window for saving and sharing.)