Do You Need a Web Application Firewall?


Have you been hacked?

A new study from the Ponemon Institute sponsored by security vendors Cenzic and Barracuda Networks, found that 73 percent of organizations have been hacked in the last 24 months. The weak point is Web applications.

The study included 637 IT industry respondents across a wide range of vertical industries. Looking deeper into why so many organizations reported Web application hacks, the study found that few organizations properly test or secure their Web applications.

Mandeep Khera, chief marketing officer at Cenzic, told that most companies are not testing their Web applications. Khera added that in many organizations, the coffee budget is more than the Web application security testing budget. Cenzic develops technology to scan and test Web applications for security issues.

The other area of vulnerability that the Ponemon study exposed has to do with network layer security. The study found that 69 percent of organizations rely on network firewalls to protect Web applications.

Grant Murphy, vice-president enterprise solutions for Barracuda Networks noted that there was a real contrast found in the study between how respondents felt about Web security and what they actually are doing. He noted 74 percent of respondents reported that Web application security is important, yet few have deployed Web Application Firewalls (WAF).

"There is a real disconnect between the desire and the actual implementation of security counter measures that are appropriate for Web application security," Murphy said.

There were 261 respondents out of the 637 respondents that identified themselves as being WAF users. Murphy added that among respondents who do have a WAF, using a reverse proxy is the preferred approach. He explained that a reverse proxy WAF enables an enterprise to have extra layer of security with protocol termination and the ability to scan for viruses.

"Fifty-nine percent don't have WAFs in place and 70 percent are kidding themselves by thinking their network firewall will secure their Web applications," Murphy said. "You just can't climb to layer 7 and inspect the payload for the contextual elements of what the traffic is trying to do against the Web application with a network firewall."

Murphy noted that the Ponemon data shows that there is a real opportunity to help educate the market on the value of WAFs. Barracuda Networks product portfolio includes WAF technology.

Web application scanning technology from Cenzic and WAF technology from Barracuda can be combined to help further mitigate testing and production Web application issues. Khera noted that rules from the Cenzic scanner can them be exported to a Barracuda WAF for enforcement.

In terms of what it will take to get better adoption of Web application scanning and WAF, both Barracuda and Cenzic note that it's a matter of education.

"The technology is there, we have to get the will and education of enterprises to move forward," Murphy said. "Hackers are certainly taking the path of least resistance."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.