Most of us rely on web applications for, well, just about everything, which is why a distributed denial-of-service (DDoS) attack or other Domain Name System (DNS)-related outage can have such a negative impact on a business. Because so much is centered on web services and similar technology nowadays, web application security must be a high priority within any security system.

Essential to web security are web application firewalls (WAFs), which protect web applications by analyzing HTTP/HTTPS data — as opposed to a regular firewall, which is designed to block transmissions based on other factors, such as IP addresses. However, a recent study conducted by Ponemon Institute and sponsored by Cequence Security found that a majority of users are dissatisfied with the effectiveness of these firewalls, and that opens the organization to greater security risks.

Dissatisfaction With Current Web Application Firewalls

A WAF is considered a critical tool because it adds web application security in ways that traditional firewalls and other security tools cannot. Web applications open the network to a wider range of vulnerabilities than other applications — such as SQL injections and cross-scripting — and they are designed to discern legitimate HTTP traffic before it reaches the application.

Yet according to the Ponemon study, only 40 percent of respondents said they are very satisfied with their WAF. This could be because they aren’t using the WAF to its full potential, as 43 percent admitted they only use it to generate alerts, rather than to actually block malicious activity. Sixty-five percent of respondents said a web application attack bypassed their WAF within the past year.

One possible reason behind this dissatisfaction with WAFs is that they are complex and managing them is time-consuming, essentially requiring someone to monitor them on a full-time basis. WAFs are costly as well, adding hundreds of thousands of dollars to the security budget.

In addition to the expense and management complexities, WAFs also have limitations that can add to that lack of satisfaction among users. For example, while they are effective at monitoring for HTTP-specific attacks, they are unable to protect from zero-day attacks or the rise of automated botnets. This is because WAFs are set up to detect preconfigured patterns, which a zero-day exploit bypasses. They also don’t fix vulnerabilities within the application. Hence, for the price and the time commitment, their function in the security system, while critical, doesn’t do enough.

Improve Web Application Security With AI and Consolidated Functions

So, as important as having a WAF is, you need other security tools in place to support and complement the firewall. The solution may be found in artificial intelligence (AI)-powered automation and a consolidation of application security functions.

“[Our customers] rely on web, mobile, and API-based applications to link customers, partners, and suppliers across their digital ecosystem,” said Franklyn Jones, CMO of Cequence Security, in a formal statement. “And they need an intelligent, integrated application security solution that can protect them against a broad range of sophisticated attacks.”

Integrating WAFs with other critical security tools can simplify your IT architecture and improve latency. One problem with legacy WAFs is that they are difficult to scale as needs change. Integration and consolidation of application security functions should address some of these issues without requiring larger, more expensive appliances.

With AI-powered solutions, organizations can put custom algorithms in place to better detect the threats not currently addressed by legacy WAFs. This is especially critical with the rise of internet of things (IoT)-based DDoS attacks, as AI-based WAFs can help detect the multipurpose botnets responsible for these attacks.

Automated web application security scanners can run scans across apps and websites to look for possible vulnerabilities. Like with penetration tests, there are black box — a blind scan — and white box — where the scan has access to the source code — approaches. White box scanning requires skilled staff, specifically someone familiar with the code. Black box scanning can typically be controlled by anyone on the IT or security team.

Web applications are a necessary part of doing business, meaning web application security has to be a top priority. A single exploit that sets up a DDoS attack or lets malware into your network could take you offline, make you more vulnerable to data breaches and hurt your company’s reputation. A web application firewall is a crucial but untrusted and underutilized security tool. If this tool is going to meet critical needs, organizations need to introduce new automated and consolidated technologies into the web app security system.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read