WAFs don't protect against modern appsec threats

Web Application Firewalls (WAFs) were once the gold standard for protecting web applications. They are designed to safeguard against the OWASP Top 10 threats, providing a fundamental layer of security. However, that was 30 years ago and times have changed.  In this post I’ll dive into why WAFs are no longer good enough to detect modern appsec threats.

WAFs were designed for the OWASP Top 10

Even the 2021 edition is long in the tooth

Web Application Firewalls (WAFs) were originally designed to address the OWASP Top 10, a list created by the Open Web Application Security Project (OWASP) that highlights the most critical security risks to web applications. These include common vulnerabilities like SQL injection and cross-site scripting, which WAFs detect by analyzing individual web requests.

However, this approach is inherently limited. By focusing on single web requests, WAFs miss the broader context and nuances of modern web applications, making it difficult to detect more sophisticated and multi-step attacks. As web applications have become more complex, especially with the emergence of APis and microservices, the traditional methods used by WAFs have left significant gaps in security.

Modern threats require a comprehensive approach that considers the entire application environment, user behaviors, and intricate attack patterns. The old WAF technology simply isn’t enough to keep up with the evolving landscape of web security threats.

The Gaps in WAF Coverage

WAFs excel at what they were designed for, but they lack the visibility and capability to detect several critical modern threats:

• OWASP API Top 10: modern applications are API first, which means that modern application security should also include coverage of the OWASP API Top 10, not just the OWASP Top 10.
• Business Logic Abuse: Threats like credential stuffing, enumeration, and account takeover exploit the logic of an application rather than its vulnerabilities. These require a deeper understanding of the application's business logic, which WAFs typically do not possess.
• JWTs: Modern APIs use advanced authentication methods such as JWTs and API keys. WAFs often struggle to see or understand these auth flows and therefore cannot secure them.
• Conformancet: There are a lot more APIs than there are traditional web applications, so making sure that each API is doing what it’s supposed to be doing becomes important.  APIs that aren’t doing what they’re supposed to be doing can be threats.
• Sensitive Data : Because modern attack surfaces are so large and complex, security teams are overwhelmed with security findings, controls, and tools.  Many attackers can slip by undetected on the most high value targets if security teams aren’t aligning security controls with parts of the attack surface with high business risk.

Impart was designed for modern application security threats

Recognizing these threat coverage gaps, we built Impart to detect them out of the box.  Core WAF detections are just a fraction of the out of the box threat coverage that our customers get with every Impart deployment.

As you can see, in our product we have several categories of threat coverage detections ranging from generic WAF, to many other categories such as security posture, conformance, JWT, and GraphQL to name a few.  What’s more, we are constantly adding to our threat coverage capabilities every day through our own threat research efforts as well as from our customers.

Impart’s out of the box detections offer a much more comprehensive view of the mdoern application security threat landscape.

In conclusion, while WAFs have served us well in the past, they are no longer sufficient to tackle the sophisticated threats posed to modern applications. Impart offers a robust, comprehensive solution that addresses these evolving security challenges, ensuring your applications remain secure.

‍