Securing Web applications with Web application firewalls

Are Web application firewalls the best choice for securing Web applications? In this expert response, find out what other Web application security options are out there.

What are the security alternatives for Web application firewalls, and what are the pros and cons of each option?

First of all, I'd say that in security it's best not think in terms of options, but to try and combine different alternatives to provide maximum security.

Application firewalls protect the application layer, normally protecting HTTP communications from attacks like SQL or script injection. Be wary of simplistic pattern-based firewalls, as the attacks might be new and not in the database or more likely will be designed not to be easily detected.

The best solution is to constrain a program's input and output only to accept or output expected data. An example of this is to limit the input length, and only allow numbers when accepting numeric data like credit cards or current age. But there are problems with constraining data, as sometimes the data is unexpectedly long (surnames) or will contain illegal characters (passwords).

Before releasing any Web application to the public, it should then be subjected to static and dynamic source code reviews to validate it has been developed correctly. Finally the program language you choose is also important, because filters built into the language will help prevent many common Web-based attacks. It is wise to learn about the protective mechanisms built into your chosen programming language, and make good use of them.

Protection is sometimes provided by frameworks which support multiple languages and sometimes within variations of the same programming language from different vendors. Check online security sites to see the number of vulnerabilities associated with the language.

Unfortunately, even when adequate protection is offered -- such as the various .Net framework validation controls -- few developers seem to use them, probably because they lack awareness or training.

Read more on Web application security