Web applications remain one of the most vulnerable parts of our computing infrastructure.  We’ve taken extraordinary measures over the past decade to shore up our network security and system security, but web applications have generally been left behind.  The complexity of web applications combined with a lack of awareness among developers leads to a woeful state of vulnerability to SQL injection, cross-site scripting (XSS) and other attacks.  Estimates from WhiteHat indicate that it would take the banking industry alone 400 days to patch 90% of the flaws in their applications.

One potential solution to this dilemma is the use of compensating controls to safeguard against existing and future application flaws.  Web application firewalls (WAFs) fit this bill.  These devices, like traditional network firewalls, monitor traffic coming into a network with a specific emphasis on the requests headed to web servers.  They perform deep content inspection on these requests, looking for HTTP commands that violate an organization’s security policy and/or include potentially malicious code, such as a SQL injection attack.