Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News AWS Web Application Firewall: Bolt-on Security for Insecure Websites

AWS Web Application Firewall: Bolt-on Security for Insecure Websites

Web Application Firewall (WAF) is a new feature from AWS which sits in front of your public website and protects it from malicious traffic. It works like a reverse proxy which inspects incoming HTTP requests looking for patterns that indicate suspicious activity. Good requests are passed onto your web application to handle, and bad requests are blocked. It's a tool which can potentially add a layer of security to an existing application without changing the app.

WAF's behavior is configurable with policies for identifying and managing suspect traffic. Amazon has published a whitepaper [PDF] explaining how WAF can be used to mitigate the OWASP Top 10, the most prevalent security flaws in web applications. Many of the recommendations use string matching to check the body or headers of incoming requests, for input which is required - like security tokens, or restricted - like SQL keywords. Others suggest combining WAF with Lambda or CloudFront for richer threat detection.

WAF is a generic tool and it has a much greater chance of success with some categories of attack than others. Injection attacks are relatively straightforward to mitigate just by analyzing the request, without knowing the application context. You can configure WAF to block suspicious activity by checking for SQL keywords in request query strings. Attacks which rely on subverting security inside the application context are harder to mitigate. If your app uses unique cross-site request forgery (CSRF) tokens, you can't configure WAF to reject requests that replay a used token, you would need to build a custom integration between WAF and your application.

InfoQ spoke with Mark Nunnikhoven to ask whether generic tools like WAF can be used to successfully bolt security onto an insecure app. Nunnikhoven is vice president of Cloud Research at Trend Micro, and an AWS Community Hero.

InfoQ: Do you think any of the recent high-profile breaches could have been prevented with a tool like WAF?

Mark Nunnikhoven: Breaches tend to happen for a number of reasons but a very common vector is taking advantage of a web application vulnerability. Cross-site scripting and SQL injection attacks continue to be a very effective method for attackers. In these cases AWS WAF is highly effective. It's designed to analyze web application traffic and look for malicious content. It's a simple and effective layer of defence for your web application.

InfoQ: The OWASP Top 10 is the focus of many security plans, audits and tools like WAF. Does the Top 10 go far enough, or is there more to consider for securing web apps?

Nunnikhoven: The OWASP Top 10 was recently updated and - sadly - not much changed. Developers continue to make the same mistakes and platforms continue to expose similar issues. There's a long tail of security issues but the Top 10 provides a focus on the biggest return. If an application addresses these ten areas well, that's a solid foundation for security. There's no point in worrying about obscure attacks that are unlikely to impact your application and users if you haven't covered the basics first.

InfoQ: You could use the workflow of WAF as a model and create your own custom proxy, adding security without changing your app. Is that feasible, or do security flaws need to be addressed by hardening the application?

Nunnikhoven: Any third-party security control like AWS WAF is designed to augment a hardened application. Security controls are a safety net. They catch the issues that fall through the cracks of a well-designed application and its supporting platforms.

InfoQ: Security is becoming a feature in the cloud. AWS has WAF and also Amazon Inspector which checks deployments for insecure configuration. Azure has Security Center which can automatically mitigate security attacks as well as providing recommendations for increased security. Is security a valid reason for moving to the cloud?

Nunnikhoven: Security is absolutely a reason to move to the cloud. The major cloud service providers - the AWS', Microsofts, and Googles of the world - provide a strong foundation that you can build on. They all operate under a shared responsibility model. This is where you and the provider divide the day-to-day responsibilities in each of the six major areas (physical, infrastructure, virtualization, operating system, application, and data).

This model means that you can focus on fewer areas. You're delegating work to the provider and simply verifying that they meet your requirements. You can do more with less in the cloud. It's a fantastic environment to build secure applications in.

Rate this Article