The web application firewall (WAF) is dead, they say, and DevOps is the culprit, found over the body in the server room with a blade in its hand and splattered code on its shirt. But although some could argue that DevOps had the means, motive, and opportunity, the fact is that WAF isn’t dead at all, nor is it likely to be anytime soon.
You can only get rid of WAF if you fully implement security into your development process and audit the process via code reviews and annual tests. But DevSecOps can’t be realistically implemented for all web apps in the enterprise environment, so WAF will stick around because it still has a job to do.
The WAF is not dead, what’s left?
DevOps and the continuous integration and continuous deployment (CI/CD) pipeline provide an excellent opportunity to implement security, especially if your agile methodology includes security sprints. It allows for security to be built into the apps from the start, rather than taking the traditional route of applying it later, which is not only inefficient but – in the frenetic pace of CI/CD – can be overlooked, ignored, or forgotten.
Although security for all web apps should be built-in from the start, our experience shows that it is usually only applied to the “crown jewels,” like the company’s primary customer portal or client payment systems. In an enterprise environment, it’s not unusual for a company to be running old apps in which code is no longer maintained or apps integrated through acquisition.
Additionally, departments such as R&D and marketing frequently implement custom or third-party applications. This app proliferation can result in more than 50% of public-facing web applications in an organization being managed by DevOps or other disparate IT groups. These apps will need additional mitigation controls, which is where WAF comes in.
The limits of DevOps security
Web application firewalls became an essential layer of security when web apps became a critical part of the enterprise. A single network firewall designed to protect a largely static network environment was no longer enough. WAFs are specific to each application and, therefore, require different protections. The filtering, monitoring, and policy enforcement (such as blocking malicious traffic) provide valuable protections but carry cost implications and consume computing resources. In a DevOps-fed cloud environment, it’s challenging to keep WAFs current with the constant flow of updates and changes.
Introducing security into the CI/CD pipeline can solve that problem, but only for those apps being developed that way. It’s impossible to build security sprints into old third-party apps or applications deployed by different departments. The mere existence of those apps presents risk to the enterprise. They still need to be secured, and WAFs are likely still the best option.
It’s also important to remember that no approach to cybersecurity will be perfect and that an agile DevOps methodology won’t be enough on its own. Even in an environment believed to be devoid of outdated or third-party apps, you can never be sure what other groups are doing or deploying—shadow IT is a persistent problem for enterprises. In addition to security sprints, code reviews, and other steps, it’s a good idea to perform penetration tests at least annually.
Penetration testing, also known as ethical hacking, simulates cyberattacks on systems, networks, and web apps to expose vulnerabilities that hackers could exploit. Pen tests give organizations an excellent opportunity to synchronize security posture realities with expectations.
WAF lives on
An agile, DevOps approach that actively builds security into web applications should be considered a best practice. It ensures that security keeps pace with the speed of innovation in the CI/CD pipeline, helps build a culture of collaboration between security and operations teams, and aligns cybersecurity with the business needs. But at the enterprise level, it’s impossible to apply security across the board because of the presence of older, unsupported applications, third-party additions, and independent activities by other departments that might take place outside the purview of development teams.
Reports of WAF’s demise have been greatly exaggerated. As long as legacy apps exist outside of the DevOps environment—or DevOps teams don’t fully implement security from the ground up (which is still fairly common), other means of protecting applications and mitigating attacks will be necessary. For the foreseeable future, at least, WAF is here to stay.