Web application firewall or web application
security scanner? Which offers a better solution when faced with
today’s dynamic security environment?

Surprisingly, the answer is neither. Both options provide
potential solutions that are independent of one another and yet capable of
working cooperatively at the same time.

Time and time again, it has been demonstrated that there are
no shortcuts when it comes to web application security. It only takes one individual with malintent and a single
vulnerability to wreak havoc on an entire organization.

Instead of looking for an easy or one-size-fits-all security
solution, consider the proper application of each tool. Firewalls, automated
scanners and live penetration tester all have their place when it comes to
implementing the most effective security posture possible.

In this post, we’re going to compare web application
firewalls to web application vulnerability scanners. The objective is to help
you to understand their proper application as well as how they can be used in
conjunction with one another.

There is often some confusion surrounding the use of WAFs
and how they differ from a scanner. While there is certainly a technical
description, sometimes it’s easiest to begin with an explanation as it relates
to history.

In 1179, Henry II began reconstruction of Dover Castle and
it’s surrounding defences using a concentric design — the first of it’s kind in
Western Europe. Every castle is vulnerable to attack and to counter this risk,
Henry had a series of outer walls constructed around the castle, designed to
act as an initial line of defence. These walls were an effective way of
controlling traffic both in and out of the castle. Could they be breached?
Well, as Prince Louis of France discovered in 1216, yes, in fact, they could.
But not easily and not without alerting the King who successfully implemented
countermeasures and forced a French Retreat.

Web application firewalls work in a similar but modern way —
surrounding a web application with a virtual wall that that inspects both
inbound and outbound traffic. Protecting the application and looking for signs
of a potential data breach that could include, SQL injection, XSS and session hijacking. For this reason,
WAFs are often deployed as a preventative measure by the owners or administrators
of web applications.

Web application firewalls are also effective when it comes
to analyzing traffic patterns. If an unusual or suspicious pattern is detected,
countermeasures can be put in place in real-time, effectively preventing a
breach before it happens.

At the same time as WAFs seek to control traffic, they
should also keep traffic flowing as efficiently as possible. This can be
accomplished via caching, compression, load balancing and more. In this regard,
not only do WAFs improve security, they also improve performance, making them
an attractive “alternative”.

But web application
firewalls should not be considered an alternative security measure. Yes,
WAFs are extremely effective at performing their assigned task. However,
hackers have proven to be equally effective in their attempts to circumvent
WAFs, and in many cases, have been successful. In addition, the use of
automated tools by hackers is now prevalent as they seek to expose
vulnerabilities within web application firewalls.

Also referred to as web application vulnerability scanners, these automated tools effectively communicate with and
scan web applications in search of potential vulnerabilities. While
web application firewalls actually protect vulnerabilities (including SQL, XSS,
Administrator privileges, HTTP vs HTTPS, Brute Force and more), web application
security scanners are different: They
search for and identify vulnerabilities which gives the developer or end user
an opportunity to close them. Web application security scanners offer a
more permanent solution as long as the information is acted upon.

Let’s jump back to our historical example for a brief
moment. In 1216 when Prince Louis of France breached the outer defences of
Dover castle and eventually breached the gatehouse, a vulnerability was
exposed. Perhaps Prince Louis would have made a great penetration tester —
thanks to his hard work in breaching the north gate, the vulnerability was
exposed and in subsequent years, patched and hardened.

Web application security scanners are the tool of choice for
web application developers and penetration testers because instead of
protecting a vulnerability from attack, they expose it. In doing so, they
provide an opportunity to fix the code itself.

When it comes to the discussion of web application firewalls
and web application security scanners, we’re in a situation that is very
similar to that of having to decide between automated web security scanning
tools or human penetration testers. The answer is not as simple as
you might think.

Like most things, the ideal answer lies in finding a balance
and in using the right tool for the right reasons and in the right situations.

Web application firewalls are an effective and often
indispensable tool in the fight against hackers. However, they should not be
relied upon as the only solution for one specific reason: They fail to address
resolving or patching the security vulnerability itself.

A web application
firewall should act as the first line of defence, not the last. If you
don’t use a scanner to expose potential vulnerabilities, you’re placing your
entire security posture at risk. Inevitably, at some point in time, a web
application firewall will have it’s own vulnerabilities exposed leaving your
application unprotected.

Understanding the independent roles of each tool, make it
clear why the should be used in conjunction with one another but never relied on
as the solitary method of defence.