4 Common Web Application Firewall Mistakes and How to Avoid Them

Follow advice from industry leaders on how to avoid these WAF pitfalls to provide your clients with maximum security.

PSA mistakes

A web application firewall (WAF) is designed to protect web applications from threats including distributed denial of service (DDoS) attacks, brute force attacks, and zero-day exploits. However, a WAF needs to be implemented properly to be effective. Here are four mistakes that managed services providers (MSPs), value-added resellers (VARs), systems integrators (SI), and other solutions providers need to avoid to provide businesses with the highest level of protection.

1 Insufficient understanding of your client’s IT environment

Pankaj Gupta, Senior Director, Product Marketing, Citrix Systems, says the most common mistake that MSPs and other solutions providers make when selling or implementing a web application firewall is not taking time to understand their clients’ IT environments. “They go in without a clear understanding of the customers’ existing application environment, security posture and gaps that may exist and how a WAF and API security solution might fit in,” says Gupta.

2 Selling WAF instead of a total security solution

Gupta says one of the biggest mistakes that his company sees solutions providers make is focusing on selling just a WAF solution as opposed to a holistic application and API security solution.

Operational and policy consistency is a big concern for security teams. And MSPs need to clearly demonstrate how solutions can deliver consistent protection across three-tier web and new microservices-based applications in a unified way,” says Gupta. “This means playing up features such as a single pane of glass to easily manage things across whole hybrid, multicloud deployments and security analytics that provide the visibility needed quickly troubleshoot problems and detect and mitigate compliance issues. It also means selling consultative deployment services to ensure adoption and success.”

3 Selling WAF as a quick fix

Dr. Martin Burkhart, Head of Product Mangement at Airlock, says, “A common mistake we see MSPs making is selling WAF protection as a quick and easy five-minute fix.”
“Some vendors support this line of argument by providing cloud services with easy to use wizards or machine-learning features, promising ‘strong’ security,” he says. “The pitfalls resulting from finishing service integration prematurely are diverse — weak policies that don’t bite, application features break, more integration hassle on the long run.”

“We recommend solutions providers offer their clients enough time for initial integration and also recurring fine-tuning,” he says.

4 Opting for an “Open” WAF that requires continual adjusting

Burkhart also advises that solutions providers start with a secure default setup rather than having an “open” WAF that must be adjusted all the time. “Given the right tools, adding punctual exceptions is far easier than raising the security level later on. Since WAFs are no islands, API security and access management should be addressed at the same time,” he says. “Last but not least, always double-check the setup using security scanners or penetration testing.”

A lot is riding on avoiding Web Application Firewall mistakes

With so many applications and services moving to the web in verticals, including education, government, retail and healthcare, it’s vital to implement solutions that will protect your clients’ data and their users. Highly regulated businesses, such as those that much comply with HIPAA or PCI DSS, are often required to use web application firewalls to protect data. An improperly configured WAF is not acceptable for these — or any — business.

Ensure from your first meeting with your client and through ongoing service delivery that you provide the optimal solution to address your client’s security needs.