Your Restaurant Clients Need a WAF

Web and mobile applications are moving targets that require more protection than a traditional network firewall can provide.

Online Payment Security

The trend from on-premises dining to online ordering for takeout or delivery has accelerated over the past few years. With more restaurants engaging customers and accepting orders and payments online, they must also adapt their security strategies to protect their businesses. Restaurant value-added resellers (VARs) and managed services providers may need to educate their clients about what it takes to secure restaurant operations online – and to answer questions including “What does a web application firewall do?”

Tushar Richabadas, Senior Product Marketing Manager – Applications and Cloud Security, Barracuda, shares insights about which restaurants will benefit from a web application firewall (WAF), how to communicate its value, and how VARs and MSPs can provide these solutions to their customers.

Are web application firewalls deployed in most restaurants?

Richabadas: For larger chain restaurants, they operate more extensive online properties that need more protection. Think of Dominos, Pizza Hut or Panera Bread – two of which had web application vulnerabilities in the past couple of years.

Single restaurants or smaller chains typically use Software as a Service (SaaS) solutions like OpenTable to provide their online services. So, in many cases, they don’t need a full WAF. Most likely, they will either use the protection offered by the SaaS platform or a WAF-as-a-Service solution like Barracuda WAF-as-a-Service.

What does a web application firewall do that makes it so crucial for restaurants accepting more online orders for takeout or delivery?

Richabadas: For restaurants and chains using a web application or mobile app for ordering, having a WAF or WAF-as-a-Service is essential to prevent attacks. These attacks could range from ordering without paying to breaching their customer database to spreading ransomware into the restaurant’s network, causing it to shut down completely. In addition, web and mobile application security are moving targets; having a WAF or WAF-as-a-Service in place ensures that attacks are easily blocked, and data breaches are stopped.

Is a WAF a PCI requirement?

Richabadas: PCI-DSS does not mandate having a WAF in place, but having a properly configured WAF will satisfy the security requirements for the relevant sections of the standard.

How can VARs and MSPs communicate the value of WAF to their restaurant clients?

Richabadas: VARs can talk to their clients about the threat landscape and the fact that many malicious actors are trying to make money hacking web and mobile applications. Malicious actors vary from a kid in the neighborhood trying to score free pizza to someone trying to hold the organization for ransom by bringing down their POS systems. Defense in depth is vital everywhere, and with e-commerce functions, such as online ordering, where the web and mobile applications are the breadwinners, it is imperative.

What advice can you give restaurant VARs about WAF?

Richabadas: VARs should consider recommending a SaaS security solution to their restaurant customers that protects applications, APIs, and mobile app backends against various attacks, including the OWASP Top 10, zero-day threats, data leakage, and application-layer distributed denial of service (DDoS) attacks.

For more information on what a web application firewall does to protect restaurants and Barracuda WAF-as-a-Service, which removes much of the complexity of the configuration and use, visit