The Changing Face of Web Application Security

We all understand that security is driven by balancing risk with compliance requirements, and protecting important assets while minimizing the financial cost, but recent developments suggest that a shift in emphasis is occurring within web application security.

For many years now, the web application firewall (or WAF) has been the bedrock of protecting websites. Since the first open source WAF from Modsecurity began in 2002, the market, primarily driven by compliance and payment card industry (PCI) requirements, has grown to a multi-billion dollar industry. It is still true that any new WAF must address the OWASP Top 10 security vulnerabilities, whether it is a cloud WAF, an appliance or open source, but recently a new key requirement has been added—WAFs must now include bot mitigation.

Some might argue that WAFs have always been able to detect bots, but no company that deals with today’s sophisticated bot problems would rely solely on a WAF. They have learned through hard-earned experience that writing WAF rules for an ever-changing bot problem is time-consuming, inefficient and ineffective because WAFs were built for protecting vulnerabilities and not for beating bots.

Industry analyst firms are changing their commentary on web application security and are sharing similar sentiments about the increasing importance of bot mitigation within their research.

In its recently published “Magic Quadrant for Web Application Firewalls,” Gartner concluded that bot management is on the rise: “During the past few months, the ability to segregate automated traffic from human clients has become a more important requirement. Bot mitigation and good bot handling have become scrutinized features, and WAF vendors adapting their offerings.”

But the reality is that the vendors included within the report were evaluated on how adequately they addressed the bot problem. And as a warning to the WAF vendors: “Gartner expects bot management (which includes bot mitigation and good bot handling) to become a core feature in WAF evaluations in the near future.”

Forrester also acknowledges that web application security is changing, and recently published “The Forrester New WaveTM: Bot Management, Q3 2018,” indicating the market is maturing in importance.

Meanwhile, Forrester has gone further in their predictions within other research. In its “New Tech: Bot Management, Q3 2018” report they conclude that: “… bot management will become the predominant application defense.” In comparing the role of WAFs and bot management within application security, Forrester considers that, “… security pros should expect to see a complete flip of the market, where instead of WAF tools providing bot management to augment their OWASP Top 10 defense, bot management tools will garner the most customer interest, and OWASP Top 10 protection will be a secondary, add-on benefit.”

For years, web security was built on addressing the OWASP Top 10, with barely a mention of the OWASP Automated Threat Handbook, which outlines 21 threats from bots. To accept that bots are so pervasive and on a par with other security vulnerabilities is a major shift in thinking.

Bots were long-considered benign, but every industry has its own unique problems caused by automated threats. Even beyond social media cyber-influencing bots affecting elections, nefarious actors can use bots to scalp tickets for events, launch brute force attacks on online accounts, scrape LinkedIn profiles, steal gift card balances and scrape competitor prices.

Every industry has learned that bad bots are there for a reason, and that reason is typically to exploit the business or damage its competitive position in the market. Perhaps it’s not surprising that attitudes are changing, because more and more companies are learning that it is difficult to beat bad bots. However, ignoring them is no longer an option.

Tiffany Olson Kleemann

Avatar photo

Tiffany Olson Kleemann

Tiffany Olson Kleemann is the chief executive officer of Distil Networks. She formerly served in executive roles at Symantec and FireEye and was deputy chief of staff for cybersecurity operations under President George W. Bush.

tiffany-olson-kleemann has 1 posts and counting.See all posts by tiffany-olson-kleemann