Here at FireTail.io, we are also not fans of a WAF. Why? We do not believe that a WAF will catch most modern attacks. WAFs are fundamentally based on firewall (perimeter defense) structures that are designed to keep attackers out based on where they are coming from, where they are going to, and what they are trying to access. A simple search for bypassing a WAF returns quite a lot of results:
Bypass WAF, 1.28M results
Dr. Cunningham’s post shares some interesting opinions and statistics on WAFs:
“WAFs are antithetical to the move to Zero Trust”
“According to most innovators and experts, the pattern and rule-based engine used by WAFs are not aligned with current security needs.”
“Ponemon conducted research at that time to probe the market for issues with WAF solutions, and more than 600 respondents made their point clear: WAFs aren’t helping.”
While 66% of respondent organizations consider the WAF an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks)
86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.
Managing WAF deployments are complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
The CapEx and OpEx for WAFs together average $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.
SUMMARY OF WAF FAILURES FROM DR. CHASE CUNNINGHAM
If you wanted the tl;dr version of what Dr. Cunningham had to say, it’s this:
In other words, WAFs are not stopping attacks, require continuous configuration and intensive management and security human capital, and are more expensive than other better-suited technologies.
WHAT IS A BETTER APPROACH THAN USING A WAF THEN?
This is where our view may both overlap with and also differ from from Dr. Cunningham’s. Dr. Cunningham speaks of the model of Web Application Isolation (WAI), whereby an application is effectively public on the Internet, but only behind a required authentication controller, and then creates a secure tunnel.
Our view on this is two-fold:
For public or consumer applications, this can work. But it requires an immediate control for authorization. Too often, developers assume controlled inputs and no attempts at unauthorized access. But the provisioning of a “secure tunnel” is something that happens already via SSL / TLS, and there’s no need for another “secure tunnel”.