Elevate Security with These Web Application Firewall Best Practices

Effective WAF implementation takes a consultative approach, planning, proper configuration and continuous testing.

Web applications and websites are desirable cyberattack targets. Unprotected web applications can give hackers access to an extensive pool of user data or the ability to distribute malware to many people. To protect your clients, their networks, their customers and their data from cyberattacks, you must deploy an end-to-end security solution that includes a web application firewall (WAF).

However, managed services providers (MSPs), value-added resellers (VARs) and other solutions providers need to observe WAF best practices – from the sales process to delivering ongoing services – to provide their clients with the highest level of security possible.  

WAF Sales and Planning

Nitzan Miron, Vice President of Product Management, Application Security Services, Barracuda, advises a consultative sales approach. “It’s the preferred way to engage with a customer due to the dynamic nature of applications,” he says.

Nitzan Miron,
VP of Product Management, Application Security Services,

A practical approach is to use a vulnerability scanner, such as the Barracuda Vulnerability and Remediation Service (BVRS), which can scan applications and generate a detailed report of existing vulnerabilities. This information can demonstrate the need for a WAF and prioritize implementation of the business’ security plan.

Miron stresses that the WAF is only one part of that plan. “In a converging world, well-integrated solutions can greatly benefit overall security posture, reduce latency and increase performance.” For example, when deployed with Barracuda CloudGen Firewall (CGF), the Barracuda WAF enables blocking at the CGF layer compared to Layer 7/WAF, making the combined solution more efficient.

He adds that MSPs and VARs should also implement solutions with advanced features, such as distributed denial-of-service (DDoS) and bot protection, to build an effective approach to security.

Miron reminds MSPs and VARs that no two applications are alike, so WAF policies should be explicitly fine-tuned for each application. Ensuring that the solution meets each business’ compliance needs is also essential.

Continuous Testing of WAF

In addition to identifying and mitigating risks when deploying a WAF, vulnerability scanning should be ongoing. Miron says the frequency depends on how quickly applications are expected to change. “In agile environments where applications change often, a vulnerability scanner is important in ensuring continuous application vulnerability monitoring and remediation. A WAF should not only be application- and compliance-centric – for a comprehensive application security posture, DevSecOps processes should also be considered when configuring WAF,” he says.

Miron adds that because change is constant, testing is a must throughout the lifecycle of applications. “New code, bug fix or outdated library – with so many variables, continuous testing helps uncover vulnerabilities and fix them promptly,” he says.

Additional Web Application Firewall Best Practices

Miron adds that MSPs and VARs can add value and optimize WAF performance with these three best practices:

    1. Test WAF policies to ensure that legitimate traffic is not blocked.

A web application firewall is meant to block malicious traffic, but it may occasionally block legitimate traffic. This could cause your client to lose an opportunity to engage a customer or prospect. Still, it can also mean the WAF works unnecessarily hard and uses too many resources. Evaluate and test policies periodically to ensure optimal performance.

    1. Periodically generate reports for adherence to compliance standards.

Some regulations that certain businesses or organizations need to comply with, such as The Healthcare Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS), require a WAF. You can add value by providing your clients with reports that show they meet regulatory requirements and make it easier for them to document compliance.

    1. Ensure proper measures are in place to defend against automated attacks.

Some web application firewalls alone cannot detect and defend against automated attacks. Ensure the WAF, as a part of the total security solution you implement for your clients, protects from bot attacks.

How Does Your WAF Stack Up?

It takes the right tools to support WAF best practices. OWASP offers evaluation criteria to help you find a web application firewall that will deliver the most value and the highest level of protection.

You can also learn more about the WAF solutions available in our Web Application Firewall Product Comparison