Protecting client-side web applications and websites is a goal that straddles both the application development and cybersecurity industries. Bugs and vulnerabilities in web applications represent a significant portion of the most common attack paths. However, there remains a bit of a struggle as to who is responsible for protecting the client side. Is it the security team or is it the application development team? While application security is shifting further to the left, both teams need to improve collaboration throughout the software development lifecycle to better integrate security earlier in the process and keep the client-side safe from e-skimming, Magecart, formjacking, and other client-side attacks.
We’ll explore all of these solutions in future blogs. To get started, let’s discuss WAFs and their limitations.
What is a WAF?
A WAF helps businesses protect their web applications by filtering and monitoring HTTP traffic between the application and the internet. It protects web applications from attacks, such as cross-site forgery, cross-site-scripting (XSS), and SQL injection. WAFs are deployed in front of web applications and analyze bi-directional web-based (HTTP) traffic, detecting and blocking anything malicious. They are great tools to use when protecting your business from skimming attacks, but they can only do so much.
What WAF limitations do I need to be aware of?
WAFs are a special category of firewall that are designed specifically to protect web applications and your business from falling victim to skimming attacks. WAFs are deployed in front of web applications to analyze web traffic in order to detect and block malicious or unauthorized activity. According to the Payment Card Industry Data Security Standards (PCI-DSS), a WAF sits between a web application and the client endpoint and serves as a security policy enforcement point. Web application firewalls protect web applications from attacks, such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.
However, WAFs are an open systems interconnection (OSI) layer 7 defense mechanism against application-layer attacks. They protect services that user-facing web applications apply to collect, store, and utilize data. WAFs are not designed to protect the browser-level user interface itself. In other words, if a web application and its user experience is a house, then the WAF protects the walls, not the furniture or the people inside. In the end, WAFs are not able to detect and protect businesses from sophisticated skimming malware, drive-by skimming, supply chain attacks, or side-loading and chainloading attacks.
WAFs cannot protect businesses or their customers from:
- Sophisticated Skimming Malware
- WAFs are not able to detect and protect businesses from more sophisticated skimming malware.
- Drive-by Skimming and Supply Chain Attacks
- Sideloading and Chainloading Attacks
Are WAFs right for me?
Absolutely. WAFs are great security tools to start protecting your business from client-side attacks. However, they can only block some client-side threats. They can’t block all of them. As with everything in security, there is no silver bullet to protect your business and your customers from all cyberthreats. A WAF will protect your connection between your servers and your customers, but the protection ends there. They can’t monitor or protect your business from browser-level threats outside of your security perimeter. To learn more about WAF’s and best-practices to improve your client-side security, check out our white paper.