{"id":2116,"date":"2006-02-01T00:00:00","date_gmt":"2006-02-01T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/02\/01\/web-application-firewalls-critical-piece-of-the-app-security-puzzle\/"},"modified":"2021-12-30T11:40:42","modified_gmt":"2021-12-30T11:40:42","slug":"web-application-firewalls-critical-piece-of-the-app-security-puzzle","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/02\/01\/web-application-firewalls-critical-piece-of-the-app-security-puzzle\/","title":{"rendered":"Web application firewalls critical piece of the app security puzzle"},"content":{"rendered":"<p>Having a Web application firewall in place can mean the difference between scrambling to fix a vulnerability &#8212; taking an application offline and paying emergency overtime fees for developers and QA staff &#8212; or having the breathing room to repair the vulnerability on your own schedule.  Web application firewalls (WAFs) are an emerging category of firewall, defined by the consortium as &#8220;an intermediary device, sitting between a Web client and a Web server, analyzing OSI Layer 7 messages for violations in the programmed security policy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The goal of the WAFEC project is to help organizations evaluate WAFs, said project leader Ivan Ristic, founder of Web application security company Thinking Stone Ltd. in London.  The project group, which is made up of WAF vendors, security professionals and WAF users, spent most of 2005 debating the various requirements.<\/p>\n<p>A WAF can use a proxy-based architecture, a deep packet inspection-based architecture &#8212; or both.  The intent, said Jeremiah Grossman, a project contributor and founder and chief technology officer of WhiteHat Security in Santa Clara, Calif., is not to recommend certain features, but rather to &#8220;give someone a way to compare one firewall to another.&#8221;  Categories covered in the document include deployment architecture, HTTP and HTML support, detection techniques, protection techniques, logging, reporting, management, performance and XML.<\/p>\n<p>WAFs target the application layer, not the network WAFs address different issues than network firewalls, which defend the perimeter of a network, Kraynak said.  If you don&#8217;t have a Web application firewall in front of the application, you don&#8217;t know what&#8217;s happening and you&#8217;re not in control,&#8221; he said.  Grossman added: &#8220;We&#8217;ve had network firewalls for many years, and nobody claims they stop everything.<\/p>\n<p>WAFs haven&#8217;t taken hold Boston-based Yankee Group has labeled the WAF market &#8220;mature&#8221; but says it has not really gained traction.  In comparison, the overall security market has grown at a 20% to 30% pace during the past five years, according to Yankee Group.  Yankee Group predicts that the WAF market as it exists today will be subsumed in a few years by a larger market: application assurance platforms, which will combine WAFs, database security, XML security gateways and application traffic management segments.<\/p>\n<p>http:\/\/searchappsecurity.techtarget.com\/originalContent\/0,289142,sid92_gci1163145,00.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2116","post","type-post","status-publish","format-standard","hentry","category-trends"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2116"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2116\/revisions"}],"predecessor-version":[{"id":4603,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2116\/revisions\/4603"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}