It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us.

…..

We have to be able to detect flaws, react faster, and adapt better on an Internet-wide scale. Web application vulnerability assessment solutions like those provided by WhiteHat Security are able to do this and then inform businesses of where the problem spots are. To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.

Honestly it sounds good (really it does), and I know many entities which have been forced to dos omething similar (most didn’t call it a WAF at the time) when faced witht his problem. (That being too many applications and too little time).

My general feeling on WAFs is that the centralization and tremndous time savings can be a boon to many enterprises, but that signature systems will always have flaws, and need to be constantly maintained and updated. To use a metaphor, think of traditional port filtering firewalls and IDS/IPS. Imagine an admin who has only an IPS, and must constantly be on the lookout for new attacks so that he can write new signatures and block them. Then there is thefirewall with a default deny. That admin knows that only specific ports are allowed through because only those services are needed and on which machines they reside. His life is a lot easier (although admittedly he still has to worry about application vulnerabilities). Once again however, Jeremiah has beaten my thought process to the punch.

To implement default-deny Web Application Firewalls (WAF) must know everything about a website at all times, even when they change.

What we need to do for web applications is do what we did for networks in the past – learn everything. We need to know which applications do what, and what inputs and outputs they should have. Hard? yes. But ultimately it will be better than the alternative.