Estimates on the effectiveness of web application firewalls against targeted attacks
Abstract
Purpose
The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.
Design/methodology/approach
Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.
Findings
The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.
Research limitations/implications
The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.
Practical implications
The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.
Originality/value
WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.
Keywords
Citation
Holm, H. and Ekstedt, M. (2013), "Estimates on the effectiveness of web application firewalls against targeted attacks", Information Management & Computer Security, Vol. 21 No. 4, pp. 250-265. https://doi.org/10.1108/IMCS-11-2012-0064
Publisher
:Emerald Group Publishing Limited
Copyright © 2013, Emerald Group Publishing Limited