« Analysis of Elliptic Curve support in current browsers | Main | Entropy on a USB stick »

The key to successful WAF deployment is getting the ownership right

September 30, 2009

While pruning my bookmarks, I stumbled across this fantastic post to the Secure Coding mailing list, from almost two years ago:

The first part of the email gives a great insight into PCI. The second part of the email is about web application firewalls, and it's equally interesting, exciting even. This sort of email is extremely important to help understand why web application firewalls aren't nowhere near the popularity as of network-level controls. The main issue is ownership, and almost everyone struggles with it.

Anonymous application security practitioner writes:

7) Web Application Firewalls (WAF) are alluded to in requirement 6.6 of
PCI DSS v1.1 as an "application layer firewall":

6.6 Ensure that all web-facing applications are protected
against known attacks by applying either of the following
- Having all custom application code reviewed for common
vulnerabilities by an organization that specializes in
application security
- Installing an application layer firewall in front of
web-facing applications.
Note: This method is considered a best practice until June 30, 2008,
after which it becomes a requirement.

Notice that WAF is not required per se, but the alternative of inspecting
all application code by an organization that specialized in application
security is very seldom feasible. In fact, InfoSec first approached our
team to do code inspections, but when we heard that there were more than
1M LOC, we told them that this was impossible given our current team size.

Code inspection *might* work for some small company who exclusively uses
some custom code using CC info with something like a small, custom
a shopping cart application, but it is not going to be economical for
most medium to large companies.

I also think that there is going to be significant push-back by
companies where PCI audits are required. I wouldn't be surprised if that
date gets pushed out to Jan, 2009. On the positive side at least, the
PCI auditor who was interacting with our company said that we could
configure an Apache proxy together with Ivan Ristic's "mod_security"
and that would qualify as a legitimate WAF to satisfy section 6.6.
So at least we can experiment on-the-cheap. (Of course YMMV at other
companies; check with your assigned PCI auditor to see what WAF is
right for you! ;-)

8) I personally have mixed feelings about WAF. Specifically, I have some
anxiety about that app dev teams will start relying on the WAF to
filter out the PCI auditors pen testing attempts rather than on
correcting it within the application itself. I don't have too much of a
problem of using a WAF to address DoS type attacks (6.5.9). (IMO, DoS
attacks are often very difficult to handle within the application itself,
especially when the app itself is using some J2EE container; addressing
DoS at the app level almost always requires some significant amount
of redesign which only complicates the app, making it more likely to
be vulnerable to other vulnerabilities.) However, inevitably some
clever 0-day is going to get past most WAFs, especially if they are
solely signature based. (Those which are also anomaly-based *might* have a

9) The dirty little secret that no one is talking about are the operational
issues with WAF. Our company discussed possible use with WAF/XML firewalls
years before PCI DSS made it "popular".

We never got much beyond initial discussions because we couldn't
identify any existing personnel within our company who had all the
required skills to troubleshoot it AND would be willing to do so.
(Think additional "pager duty".) We talked with stakeholders from
InfoSec, our company's network engineering team who manages our border
firewalls and routers, some *nix and Windows OS system administration
teams, and amongst our team. I think there might be only 2, possibly
3, people who have sufficient skills to operate and troubleshoot a
WAF, and all of those people are smart enough to know that it would be
a thankless job and they aren't really looking for additional opportunities
to carry pagers. Chances are, we would have to probably hire a few people
fully dedicated to this, but even then, there is the question where would
they fit organizationally? One possible option not explored--because we had
no stakeholders represented who could finance such a thing--would be to
outsource the management of WAF to some managed security company such
as BT Counterpane, ISS, etc. Anyhow, it's a big problem and one that
isn't going to go away.

At first, intuition would suggest at first that usual FW teams would be best
suited (and that indeed is what most WAF vendors suggest), but for the most
part, the usual FW teams' understanding of attacks at layer 7 is often
very limited.

If you or anyone you know ever comes up with a solution on how to address
this particular issue, please let me know. I think it is a show stopper.