Few organizations have the expertise to properly implement and manage Web application firewalls, which have emerged in recent years as tools for enabling organizations to meet certain compliance mandates involving data protection. Considering, many companies will depend on solution providers to help them get the most value out of their implementation.
"The market is still very under-educated overall in application security strategy," said Mark Carney, managing director of strategic services for Kansas City, Mo.-based Fishnet Security Inc. "It's improving, but not at a pace where the general security community understands the level of care and feeding an application firewall needs and what it takes to make it effective against Web application vulnerabilities."
PCI DSS requires audits for Level 1 merchants (those that process more than 6 million transactions annually); MasterCard recently added the audit requirement for Level 2 merchants (between 1 million and 6 million transactions annually). Knowledgeable and aggressive Qualified Security Assessors (QSAs) will expect companies to demonstrate that Web application firewalls are implemented properly and are being put to use.
"There are auditors who ask, 'Do you have a Web application firewall?' and then say, 'OK, check,'" said Brian Monkman, WAF manager for Mechanicsburg, Penn.-based ICSA Labs, an independent division of Verizon Business, which provides vendor-neutral security product testing and certification for security products, including a WAF certification program. "But there are those who ask more specific questions; the longer Web application firewalls are out there and the more mature they get, the more in-depth these questions will be."
Organizations often need help determining how users interact with applications, as well as what critical data the applications can access, said Brian Contos, chief security strategist for Redmond Shores, Calif.-based application and data security vendor Imperva Inc. Partners can offer up-front discovery as a WAF service to determine the applications and data that are in scope.
"Data security has to be much more precise than network security," Contos said. "If you don't know where sensitive data is, it's hard to tell how users interact."
WAFs typically "learn" through initial baselining, which involves running a test period to determine what constitutes acceptable behavior, what is questionable and what is malicious.
This represents another opportunity for solution providers, as the test findings must be analyzed and the results reported to the customer. After the results have been analyzed, the solution provider can work with the customer to build custom rules that define what to allow, what to alert on, and what to block, based on corporate policy as well as likely and potential attacks.
"It becomes a very consultative relationship and that's a lot of value add as opposed to just leveraging technology," Contos said.
That's particularly true in large, complex WAF deployments. Experts say VARs should understand the business logic behind an application, as well as technical information about how it works, the development platform it is built on and the programming language it uses in order to best help customers.
"The biggest thing to realize is that applications are complex," said Fishnet's Carney. "They are not as predictable or as straightforward as network-based traffic."
It's especially important to know if new applications are going to be deployed and existing applications changed, he said. The client will either have to be trained in how to modify WAF rules to accommodate the changes, or will have to contract the solution provider for additional services to do it for them.
"The more dynamic the environment, the more care and feeding is required," Carney said.
In dynamic environments, the solution provider can perform penetration testing using Web application scanners to reveal vulnerabilities introduced with the changes. Customers would be best served by WAF deployments that integrate with scanning tools and/or services, Monkman said. For example, WhiteHat Security Inc.'s cloud-based application scanning service integrates with a number of leading WAFs. The service (or in other cases, product) can create a "virtual patch," a rule that blocks exploits of the particular vulnerability until the code can be fixed.
This is essential for critical production applications that can't be taken offline. Patches take time to create and test, especially if development is outsourced.
"You need someone who has an intimate understanding of secure coding, of how Web application firewalls and vulnerability scanners work, and how to integrate them," Monkman said.
That combination of expertise is in short supply, presenting an opportunity for solution providers to offer application security practices, in addition to simple WAF deployments.
"Designing security for applications, especially dynamic ones, can be best done when you have a relationship with a partner," Contos said. "As network security is becoming more commoditized, this is one of the areas I would look at for a lot of growth in the future."