The best defense against web application threats is to tune Web Application Firewalls (WAFs) and incorporate Dynamic Application Security Testing (DAST) software, a study has found.
When used in combination with trained WAFs, the DAST products, which create automatic filters, enable a 39% improvement in effectiveness, according to the study by security analyst Larry Suto.
The study found that Intrusion Prevention Systems (IPS) tuned with DAST filters also creates a more effective WAF.
The research report entitled “Effectiveness of Web Application Firewalls”, is based on a benchmark study conducted with eight WAFs and IPSs, and evaluates their relative effectiveness in detecting, reporting and thwarting web attacks.
The systems were each tested for effectiveness against external attacks if the configuration was tuned in one day or less by an experienced security professional, and when trained by DAST generated filters.
The study found that when tuned only with ‘out of the box’ network specific rules, IPS solutions were not very effective at defending web application vulnerabilities. However, when trained by DAST generated filters, IPS solutions improved by an average of 60%, bringing up their performance to the same or better than the tuned WAFs, with their overall blocking effectiveness averaging 82%.
The report says baseline tuned WAFs are fairly effective at detecting and defending web attacks. The most effective system found 88% of the vulnerabilities known in the test application, while the average effectiveness across all solutions was 79%.
An average of 19% more vulnerabilities were blocked when DAST generated filters were applied to WAF solutions.
The study found that a highly trained expert required an average of 3.5 hours in order to tune the WAF to an acceptable blocking level, which is significantly more time than the typical organisation spends, according to Suto.
“WAFs can be a very valuable part of an organization when properly tuned and effectively trained with DAST filters, saving time and dramatically improving their effectives,” he says.
“I also found that IPS solutions, though not designed out-of-box for web application security, can be trained to be very useful as part of a broader security strategy or WAF alternative,” said Suto.
The study examined a cross-section of modern WAFs and IPSs, both proprietary and open source.