Monthly Archives: July 2019

The State of Web Application Firewalls

Larry Ponemon

Web application firewalls (WAF) are essential to securing web-based applications and, as shown in this research sponsored by Cequence Security, are a necessary or critical piece of an organization’s security arsenal and infrastructure. Unlike traditional firewalls, WAFs analyze traffic and make decisions based on a set of predefined business rules. Traditional firewalls base their decision to allow or block traffic on simple parameters such as IP address or port number. WAFs mostly base their decision on an in-depth analysis of the HTML data.

Ponemon Institute surveyed 595 IT and IT security practitioners who are responsible for the deployment of a WAF in their organizations. Fifty-three percent of respondents are either responsible for application security (30 percent) or are application owners (23 percent).

The research clearly reveals WAF dissatisfaction in three areas. First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.

Attacks on the application layer are bypassing organizations’ WAFs. Sixty-five percent of respondents say attacks on the application tier are bypassing the WAF frequently or sometimes.

As a result, most organizations represented in this survey do not think their WAFs are effective in securing their web-based applications and are not satisfied with them.

When asked to rate satisfaction with their organization’s WAF on a scale of 1 = not satisfied to 10 = very satisfied, only 40 percent are very satisfied (7+ responses) due to the fact that only 43 percent of respondents say their WAF is very effective (7+ responses on the 10-point scale).

Part 2. Key findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following themes:

  • The difficulty in protecting Web, mobile and API apps
  • The challenge of WAF deployment and management
  • Features that improve the WAF’s effectiveness

The difficulty in protecting Web, mobile and API apps

 Organizations prioritize the protection of Web and mobile applications. Organizations represented in this research protect an average of 158 Web, mobile and API apps. The primary focus of application security is on Web (67 percent of respondents) and mobile (58 percent of respondents) applications. Thirty-seven percent of respondents say their organizations are protecting API services.

Organizations are more effective at protecting mobile applications. When asked to rate their organization’s effectiveness in protecting mobile applications and API services, 54 percent of respondents say they are very effective in protecting mobile apps versus only 38 percent of respondents who say their effectiveness in protecting API services is very high.

Mobile client applications are most likely to interact with organizational applications. Some 55 percent of respondents say mobile apps interact with their organizations’ applications followed by partners using APIs (36 percent of respondents).

Attacks are bypassing the WAF. In the past 12 months, 65 percent of respondents say attacks on their organizations’ application tiers have bypassed the WAF frequently (23 percent) or sometimes (42 percent).

The challenge of WAF deployment and management

 Security is the primary reason to invest in a WAF.  Organizations are spending an average of $419,100 on WAF products and/or services and an additional average of $200,500 for staff to manage WAF-related security issues. Organizations typically have 2.5 full-time employees to manage the WAF. On average, the staff spends 45 hours per week responding to alerts and 16 hours per week to creating and/or updating rulesets.

The top three reasons to invest in a WAF are the protection of the IT infrastructure (60 percent of respondents), prevention of attacks (56 percent of respondents) and the protection of data (54 percent of respondents).

Most WAFs used only for attack detection. Only 22 percent of WAFs deployed in the organizations represented in this study both detect and block attacks.

Currently, most WAFs are either an on-premises hardware appliance or managed appliance. About one third of respondents say their WAF is an on-premises hardware appliance and 21 percent of respondents say this is the ideal deployment. Twenty percent of respondents say an on-premises virtual appliance is ideal and 18 percent of respondents say a cloud-based WAF is ideal.

Read the rest of this study at the Cequence website.



Is work killing you? Should we blame our tech, ourselves, or our culture? A So, Bob podcast

Bob Sullivan

“Working too hard can give you a heart attack-ack-ack-ack-ack-ack. You oughta know by now.”

Summer is well under way, and if you haven’t planned your vacation yet, you aren’t alone.  Americans are terrible at taking vacations, terrible at relaxing — terrible at shutting down and rebooting. I think I know why, and I bet you do, too.

Always-on gadgets mean always-on employees, and this is driving many of us mad.  Five years ago, I began a series of stories called The Restless Project to examine all the ways Americans are struggling with constant pressure from tech, and from a broken economy.

People are working themselves sick, even dying at the office.  I thought I might write a book about overwork: But then good friend Annie Murphy Paul (more from her soon!) introduced me to then-Washington Post report Brigid Schulte, and I learned she had already written that book. It’s called Overwhelmed: Work, Love, and Play When No One Has The Time.

Instead of a book, I’ve now made a podcast about this subject, with Alia Tavakolian and Spoke Media. Click play below or listen on iTunes, on Stitcher, or wherever you get your podcasts.

Maybe this is nothing new. When Billy Joel sang about working too hard in 1977, he wasn’t signing about smartphones.  OTOH, tech and all its trappings make keeping up with life hard and harder with each passing email. New gadgets and new communications tools (Snapchat! Messenger! Instagram DMs!) continuously add to our pile things to check on.

Brigid is one of the first guests in our So, Bob series, and we talked about the intersection of technology and overwork (Spoiler: She’s doesn’t blame tech nearly as much as I do!).  She is fascinating. Here’s a taste of our discussion.

(Brigid now works for New America and is director of the Better Life Lab.)

BRIGID: There’s a fascinating phenomenon that, that behavioral scientists to found, they call it tunneling.…you kind of have this tunnel vision and then what you’re only able to do is focus on just the few things right in front of you. You’re not able to stop and ask yourself bigger questions. You’re not able to see the bigger picture. You can’t get out of the tunnel and ask yourself that question, do I even want to be in this tunnel?

BOB: …So for you now, it’s almost like a sensation. You’re like, oh my God, I’m going in the tunnel.

BRIGID: Yeah, I can feel it closing in. Yeah. You know, and I, it was somebody else once said because we have this crazy, achievement culture and it’s all about productivity and all of these tips and tricks and life hacks and tech. It’s all supposed to, you know, they, on the one hand we say it’s to make our life easier, but let’s face it in this kind of busy-ness as a badge of honor culture, it’s about cramming more crap into your day and then somehow feeling awesome about just how insanely busy you were and somehow you will manage to end the day standing up.


BRIGID: I would talk to these researchers, this one woman who studies busy-ness and the fast pace of life in North Dakota of all places. And she’s come to the conclusion that busy-ness we’ve made it such a badge of honor that it’s a choice, but she also calls it a non choice choice because you feel like you can’t make any other choice if you want to fit in or if you want to have status. And so, um, I do try to pull out of that like what a sick way to get status. You know, by like making ourselves, you know, ill and unhealthy and not making time for things that you enjoy, that there’s something to be, you know, to be proud about that you have work life conflict or never go on vacation or don’t sleep well. That’s crazy. I do feel like, uh, jobs have become incredibly complicated. I do feel like technology as a part of that. Um, and I think that we haven’t figured out how to manage that well as human beings. And, and so those are things that can be challenging that uh, figuring out how much is enough when you are a knowledge worker and there isn’t a whistle that goes off at the end of the day, you don’t have any visual markers. Like I’ve, you know, created my pile of widgets and I can check the box. It’s very difficult to figure out when you’re done and when is it good enough. Um, so that’s really a challenge of modern work. And I don’t think we have good answers and I’m here to say I’m trying to figure it out myself.