Securing Web applications with Web application firewalls

Are Web application firewalls the best choice for securing Web applications? In this expert response, find out what other Web application security options are out there.

What are the security alternatives for Web application firewalls, and what are the pros and cons of each option?

First of all, I'd say that in security it's best not think in terms of options, but to try and combine different alternatives to provide maximum security.

Application firewalls protect the application layer, normally protecting HTTP communications from attacks like SQL or script injection. Be wary of simplistic pattern-based firewalls, as the attacks might be new and not in the database or more likely will be designed not to be easily detected.

The best solution is to constrain a program's input and output only to accept or output expected data. An example of this is to limit the input length, and only allow numbers when accepting numeric data like credit cards or current age. But there are problems with constraining data, as sometimes the data is unexpectedly long (surnames) or will contain illegal characters (passwords).

Before releasing any Web application to the public, it should then be subjected to static and dynamic source code reviews to validate it has been developed correctly. Finally the program language you choose is also important, because filters built into the language will help prevent many common Web-based attacks. It is wise to learn about the protective mechanisms built into your chosen programming language, and make good use of them.

Protection is sometimes provided by frameworks which support multiple languages and sometimes within variations of the same programming language from different vendors. Check online security sites to see the number of vulnerabilities associated with the language.

Unfortunately, even when adequate protection is offered -- such as the various .Net framework validation controls -- few developers seem to use them, probably because they lack awareness or training.

This was last published in February 2010

Read more on Web application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...