The benefits of WAF or Application Firewall can make the difference between a secure web application and one that has been compromised. Many IT managers still struggle with WAFs because they are expensive and difficult to maintain. Sometimes, they are considered unnecessary if there are other security practices, such as the proper development of secure software and code review. If you are running a limited budget or set of resources, you may have moved the WAFs to the “desire to have” of the “need to have.” In this article we will give you three reasons to have it, but first, let’s go to the beginning.

What is a Web Application Firewall (WAF)?

A web application firewall (WAF) provides security when operating through an application or service, blocking inputs and outputs that do not comply with a firewall policy, that is, a set of rules for an HTTP conversation. WAFs do not require modification of the source code of the application.

The rules for blocking an attack can be customized according to the protection function of the websites that WAFs must have. This is considered an evolving information security technology. It is more powerful than a standard network firewall, since it does not work at the TCP / IP level but at the application level.

WAF is a filter that is in front of your web application and that inspects incoming traffic for possible threats and malicious activity. It is one of the most common means of protection against attacks in the application layer.

In general, WAFs were implemented as an application that is located in the organization’s data center. However, due to the increasing complexity of IT infrastructure and cyber threats, the local WAF is evolving into the cloud.

As companies continue with the rapid transition to the cloud and customers demand more agility, these WAFs are not enough to protect against attacks at the edge of the network, since they reside on the same network.

To solve this security problem, companies have started adopting cloud-based web application firewalls to mitigate malicious traffic.



WAFs are an important piece of layered security architecture to avoid zero day exploitation. You may remember that a Zero-day exploit was discovered for TimThumb, a popular image resizing module for WordPress. TimThumb is included in numerous add-ons and WordPress themes. The remote file vulnerability included in this instance was the result of faulty programming logic that essentially allowed anyone to upload any file and execute it in the TimThumb cache directory. This led to countless compromised WordPress installations. The lesson here is: you do not always have control of the software you are using and therefore do not control your security. If a Zero-day exploit is removed, it is now up to that software developer to create an official patch, or you must remove the functionality completely. If you have a WAF, you can virtually patch the vulnerability and protect your infrastructure until the provider has released a patch, or until you can successfully patch the code.


It is likely (hopefully) to run vulnerability analysis quite frequently. Depending on the nature of your business and the resources available, you can perform scans once a quarter or several times a month. So what happens when you discover a vulnerability in your web application? Some organizations have the workforce to patch or otherwise address the risk immediately. Others simply cannot do that for a number of reasons, including the lack of technology personnel with experience in certain vulnerabilities. If your company belongs to the last group, then your organization is at risk as long as that vulnerability is present. Some WAFs have the ability to import your scan results and automatically patch your application for immediate protection.


Hackers have several ways to export data and, unless you know that you have been compromised, the detection of exfiltration can be complicated. Data leakage can be caused by something as insignificant as a detailed error message presented to a user of the public application. If your application contains source code, credit card numbers, health information or other critical data, then a simple leak can turn into a catastrophe. In this case, a WAF would be like an X-ray machine: it analyzes everything that is returned in response to the users of its web application. If the WAF finds something it does not like, then it is marked and stops exiting its network. Most WAF providers write high-level behavioral signatures in search of credit card numbers and social security numbers. You can also write additional signatures in search of anything you don’t want to leave your network. Examples may include vital record information, source code and certain file names.

These are just three examples, but there are numerous reasons to consider incorporating web application firewalls into your security program.