Skip to main content

Legacy vs next-gen WAF: Why the difference matters

(Image credit: Image Credit: Andrea Danti / Shutterstock)

Today's enterprises often rely on legacy web application firewalls (WAFs) that use regular-expression pattern matching rules to secure their businesses. Legacy WAFs can make scaling difficult and regularly cause more problems than they solve, particularly when they produce false positives that security and operations teams must wade through to verify if an actual attack occurred—but it doesn’t have to be this way.

Our world is driven by ever-increasing digitization which is becoming more complex, driving faster development, and with the proliferation of APIs, may feel like it is getting out of our control. Indeed, more than half of businesses say most or all of their applications will use APIs in the next two years. Crucially, this means more data to protect across a wide range of applications.

A streamlined view of web defenses is fundamental to driving businesses forward in a mix-and-match application environment that has evolved due to the fast pace of digital transformation. Going forward, a next-gen WAF approach is necessary to improve security efficacy, provide consistent protection across disparate application architectures and environments, and reduce costs.

Speed is of the essence

Legacy WAFs are often black boxes because they don't adequately show why they blocked a web request and provide few, if any, request details, so they are rarely operated in blocking mode. Overall, UK businesses use an average of 11 web applications and API security tools, spending close to £365,000 on these assets. However, 40 percent of all security alerts are false positives. Our research tells us that many block legitimate business traffic, waste money and resources, and cause 91 percent of respondents in our report to run tools in log or monitoring mode or shut them off entirely. 

An effective next-gen approach relies on identification of the intent behind a request, as opposed to waiting for the request itself to be recognized as malicious. 

An effective WAF should inform security experts of anomalous traffic rather than blocking those requests altogether. Decisions with details explaining why a block was made should also be reported. This visibility is critical for developers so they understand how malicious traffic is targeting their app: they can then go back in the next development cycle and address vulnerabilities in the codebase.

True next-gen WAFs empower security and development teams to gain visibility in production for example by sharing security telemetry and metrics with DevOps and security tools like Slack and PagerDuty so all teams have the same baseline information to make decisions from. 

Additionally, a next-gen WAF can share security telemetry and metrics with Security Information and Event Management (SIEM)  and SOAR (Security Orchestration, Automation, and Response) tools via API. This enables security teams to use the WAF’s data for further correlation and investigation if necessary. For example, the next-gen WAF’s data can be used in conjunction with logs and metrics from other security tooling such as a network intrusion detection system—all in service of recognizing potentially harmful attacks while also reducing the workload for security teams because the next-gen WAF is an integral part of their overall security toolset.

Custom rules can slow you down

The custom rules attached to legacy WAFs are often costly to write and maintain. Fastly found that 30 percent of businesses indicated that ruleset customization and testing hinder their ability to keep up. Additionally, 68 percent of businesses said their organization develops new rules for deployed controls at least monthly, with efficacy testing typically lasting at least a week. 

The right security in the right place

Legacy WAFs have been traditionally deployed as part of a perimeter-based security strategy to facilitate early identification of threats. This came with the drawback of making it practically impossible to see what was getting through to the origin or interpreting application behavior. In contrast, a next-gen WAF can deploy in multiple locations depending on where they have deployed their application or API. Inspecting web requests prior to reaching the origin is key to effective application security—and a next-gen WAF can do just that by deploying in the cloud, in front of legacy applications, or with a single DNS change and no agents as a Cloud WAF.

Effective next-gen WAFs are able to deploy in multiple locations due to a lightweight and flexible approach to protecting any app in any environment. They leverage software modules that can be deployed anywhere in your technology stack, from a web server instance to an API gateway to containers. And they can deploy in these various methods without instrumenting code on every deployment. A comprehensive deployment approach like this ensures your site is protected no matter where the app operates so it stays up and running. 

Integration with DevOps processes is key

Combining legacy WAFs with DevOps practices can become challenging as instances are difficult to stand up when applications and services scale. Many don’t support integration capabilities with DevOps tools, limiting visibility for teams to access security data. When legacy WAFs are unable to plug into them effectively, APIs are unable to work at scale. 

In comparison, a next-gen WAF provides a unified view across your entire footprint for unparalleled reporting to the entire organization. A next-gen WAF also integrates with DevOps tooling for cross-team visibility. 

Pushing this security data to tools used by developers, operations, and security teams allows teams to self-service data and fix issues faster, together. Plus, robust APIs allow Security Operations Centre (SOC) teams to pull data into SIEM tools to visualize trends over time and better prioritize resources.

What now?

If this information makes you question your web app and API security tools, you’re not alone. In fact, 93 percent of businesses say they are interested in — or already planning to — deploy a consolidated web application and API security solution to improve security efficacy. These security tools should provide consistent protection across disparate application architectures and environments, and reduce costs.

Switching to new security solutions can be a daunting process, but it’s even harder to recover from a major security breach. Investing the time in this project can lead to greater change in your business, helping you to make your apps and APIs more secure and move towards consolidated security tooling.

Brendon Macaraeg, Senior Director of Product Marketing, Fastly

Brendon Macaraeg is Senior Director of Product Marketing at Fastly. He has over 20 years of Product and Marketing management experience with an emphasis on consumer services and enterprise security SaaS products.