Modern Applications and Architectures Demand a New Web Application Firewall

Legacy web application firewalls were developed before the proliferation of APIs, microservices and cloud–and they’re struggling to keep up.

James Wickett, Head of Research

If you have been around computing any length of time, you realize one universal constant: the industry is always evolving. Over the last decade we have seen huge changes in our development models, architecture designs, and the infrastructure where we run applications. We now prefer software development measured in days instead of months, microservice architectures over monoliths, and cloud resources over hardware that must be owned and maintained. Of course, no one is able to make a wholesale conversion from the old model to the new and there are always remnants of the old ways that stick around your organization.

This paper looks at these three areas—architecture, development, and infrastructure—and how they necessitate a new approach to web application security, namely a new breed of web application firewalls (WAF). Using data from Signal Sciences customers, we see one of the most important aspects of a WAF is the ability to be deployed in a wide variety of architecture and infrastructure models. This not only gives the most reliable coverage, but also actually meets the needs of any organization delivering modern applications.

Architecture Development Infrastructure

PG 1 | MODERN APPLICATIONS AND ARCHITECTURES DEMAND A NEW WAF Evolving Architectures However, in modern applications, we see the clients– ranging from web browsers to mobile apps–connecting Architecture changes have been happening over to multiple services to render the application. This is a the course of decades and the influencing decisions move towards a distributed architecture that is based on made during a certain era of computing have almost services. always been due to resource constraints. CIOs, IT, and development staffs had to make compromises between Taking an application and decomposing it into a set of available computational, network, and storage resources services is exactly the approach that a microservices and how much budget was allocated for each. In the early architecture promotes. Each of these services are now days of web applications, they generally followed the available to the developers to assemble wholly new federated model where web browsers were responsible applications. As you might have guessed, a microservices for the presentation and connected to the application model is much easier for developers to deliver which did the heavy lifting. applications which allows faster business cycles from idea to product. On the backend, web applications looked pretty much the same at every organization. It was an n-tier architecture with each tier taking on a unique role–for example a three- A move towards a distributed architecture tier architecture might be composed of web servers for that is based on services. the presentation layer, a middle layer for application logic, and the last tier would be where the database resides. Securing Modern Architectures

In an n-tier model, the best place to put a web application firewall (WAF) is at the top tier due to its position in the communication stream. This was the common thinking and approach, but it has these four inherent flaws:

Web Application 1. Relies on an inline architecture which is slow and inefficient Architecture Evolution 2. Requires tuning as new applications are built or deployed 3. Can’t support multiple content delivery networks (CDNs) 4. Introduces a chokepoint which is expensive to deploy and maintain

When every service and API is talking over HTTP to each other and new applications can come online in days, the WAF has to change. To get coverage across N-Tier Microservices all applications, a WAF should be deployed alongside Architecture Architecture or in front of each service. And this is not just coverage of microservices, but a WAF should also be flexible to protect any tier-based architecture model or microservices model.

PG 2 | MODERN APPLICATIONS AND ARCHITECTURES DEMAND A NEW WAF Software Development Models

Put together a long list of requirements, design the Software Development Evolution application, fill out your Gantt chart and so on. This was the approach the software industry took to building applications. Each phase of the software development lifecycle fed into a subsequent stage. Month by month, the work cascaded down from customer to design to developers, which is why it was dubbed the Waterfall Method. The hallmarks of the method are familiar: over budget, overdue projects, and generally not what the customer wanted in the first place. Waterfall As a way to rescue the industry, a group of developers got together in 2001 and crafted the Agile Manifesto. Since then, Agile has rippled across the industry and has been a huge success.

It has impacted almost every software development organization on the planet as it promises faster development cycles with cycles measured in days rather than months or years which is commonly experienced in waterfall shops. Agile Agile’s only disadvantage was that it was mostly used by developers and left out the operations teams.

With the evolution of software development practices, we have to change how we implement defense.

Once cloud computing and Infrastructure as Code became mainstream ideas, Agile moved into new territory and DevOps with it, brought a new name: DevOps. The joining of two disparate groups, devs and ops, meant applications and services would be delivered together. This created an innovation and feedback loop across the entire system. Instead of being able to just make changes to an application in days, DevOps ushered in the ability to deploy the entire system (application and infrastructure) multiple times a day. This created the agility and velocity that businesses craved to innovate and stay ahead of the competition. But with the evolution of software development practices, we have to change how we implement defense

PG 3 | WHITEPAPER Staying Secure at the Speed of Development

The previous generations of web application firewalls required a tuning period. After every change to your application, the WAF would be put into “learning mode” Legacy Approach to WAF which would allow it to learn what the normal actions for the application are over a period of time. At a minimum this learning period was usually recommended to be several days in length but some vendors asked for weeks to get enough sample data. This might have been acceptable for waterfall development, but with the rise of Agile and DevOps, this just doesn’t work.

Tuning was necessary because the previous generation of WAF suffers from high false positive rates due to how it tightly couples decisioning and blocking. Modern defense splits detection and decisioning, which has two distinct advantages:

1. It dramatically lowers the false positive rate to near zero. It is much more accurate because it allows the collection of security telemetry that can be acted on holistically rather than as discrete events. Decisions are enriched by intelligence gathered from the entire HTTP/HTTPS conversation between the client and server.

2. Splitting up detection and decisioning eliminates the tuning period or a “learning mode.”

Net result? Security can keep pace with whatever software development cadence the business needs.

PG 4 | MODERN APPLICATIONS AND ARCHITECTURES DEMAND A NEW WAF Cloud Usage By 1. WAF in web server. This is Signal Sciences hooked Signal Sciences Customers directly into the web server through using the Signal Sciences modules for IIS, Apache, and NGINX. This is the most common way customers use Signal Sciences and we have broken out these web server variations in the 54% deployment modes graph. Amazon 2. WAF as a proxy. Signal Sciences can also be used as a stand-alone reverse proxy to front any HTTP/HTTPS application or service. This means that even applications 46% that have gone untouched for years can still be Other (Azure, defended. As a stand-alone proxy, Signal Sciences can Heroku, IBM, also be used in conjunction with popular load balancers Google) like HAProxy or NGINX Plus.

3. RASP language module. Signal Sciences can also run inside your Java, Go, Python, .NET, Node.js, or PHP application. Modern Infrastructure

Where is my application running? That is a significantly harder question these days than in previous generations. No longer Signal Sciences Deployment Modes can we just point to a rack of servers: applications now run in the cloud, on a platform or maybe in Kubernetes or other container orchestration platform. The question also asks us to consider just one application. But if we instead expand that to an entire web domain or property, the more likely answer is more of a heterogeneous mix of hardware, cloud, and contain- ers. Where is my application running? Well, let’s just say: it’s complicated.

Signal Sciences customers range from the largest websites on the planet to healthcare startups to media, large enterprises, and more. Across these different verticals, we examine how infrastructure is being used. For our top five cloud and platform IIS Apache Nginx/ Load Language Containers, Nginx+ Balancer Module Serverless, providers, usage is heavily skewed towards Amazon Web Ser- (haproxy, (Java, Golang, Other reverse .NET, PHP, vices, with AWS being almost equal to the others combined. proxy) Python, nodejs)

You’ll notice that we have a category listed as “Containers, Serverless, But that is just one picture of infrastructure. Another way we Other.” Signal Sciences can be deployed within almost any container look at infrastructure is the method in which Signal Sciences is workload and also can function inside of API gateways Section.io and Kong to defend APIs and for serverless functions. deployed. There are three main ways customers deploy Signal Sciences:

PG 5 | MODERN APPLICATIONS AND ARCHITECTURES DEMAND A NEW WAF Staying Secure Across a Modern Infrastructure Mix

A homogeneous infrastructure in an organization of any One of the keys to securing and defending size is very unlikely. One of the keys to securing and modern applications and APIs is breadth of defending modern applications and API’s is breadth of coverage across any infrastructure. coverage across infrastructure. Because the application has been decomposed into smaller services and components, the defense needs to be spread to those same delivery stacks.

To get the necessary coverage, defensive tools, whether open source or commercial, should be evaluated for use in: Modern Infrastructure Mix • Major cloud providers (e.g. AWS, Azure, IBM, GCE) • Container platforms (e.g. Kubernetes, Docker) • Hardware and web servers (e.g. load balancers, web servers) • Serverless options (e.g. API gateways) • Platform services (e,g. Heroku, language plugins)

Cloud Breadth in coverage is one of the most important ways to get web application defense and keep up with the changes all organizations face. Security teams often Containers find themselves either supporting new infrastructure initiatives or inheriting legacy applications and systems– either way, finding tools to span the old and the new can make all the difference.

Hardware Serverless

Platforms

*Special thanks to Sean Bohan, Sr. Data Analyst at Signal Sciences

PG 6 | MODERN APPLICATIONS AND ARCHITECTURES DEMAND A NEW WAF Summary: We Need Defense for Any Architecture, Infrastructure, or Language

The core premise behind WAFs–stopping application There are three main reasons customers choose Signal security attacks–is more relevant than ever with web Sciences to defend their web systems: application attacks continually being the number one source for data breaches over the last 5 years. 1. A solution that works for any architecture that our But the modern application looks nothing like it did a customers use to develop and deploy their apps, decade ago, so why are we using legacy WAF defense APIs and microservices from cloud to on-prem to based on yesteryear’s defense? Instead of deploying containers. defenses at one spot only in our system, we need to split 2. Automated protection works out of the box without up our WAF and put the defense where applications live. rules tuning and virtually no false positives: this is why 95% of our customers use Signal Sciences in blocking mode in production.Internal sites and services can be protected and monitored even if they’re not exposed to The modern application looks nothing like it did a decade ago, so why are we the public Internet. using legacy WAF defense based on 3. We empower DevOps, Security and Operations teams yesteryear’s defense? with feedback loops to share actionable information to all groups that need visibility.

Signal Sciences can be used in any combination of cloud provider, datacenter, web server, load balancer, language, or container orchestration framework. Because of this breadth, Signal Sciences provides visibility, actionable insights and automated blocking to stop application attacks before they start. These capabilities are validated by our customers whose collective testimony resulted in Signal Sciences distinction as a Gartner Peer Insights Customers’ Choice for the Web Application Firewall category.

SIGNALSCIENCES.COMPG 7 | MODERN APPLICATIONS | 1.424.404.1146 AND ARCHITECTURES DEMAND A NEW WAF