Every Application Should Be Behind a WAF

It’s no secret that security threats continue to expand in volume and variety, making headlines on virtually a daily basis. From nation-state attacks, corporate espionage, and data exfiltration campaigns to all-in-one and sneaker bot campaigns, businesses across the globe find themselves dealing with a deluge of inbound threats. The increased amount and variation of threats, and the proliferation of apps being deployed and managed by teams and individuals across the enterprise, can make securing apps and data feel like trying to keep water out of a submerged sieve.


This threat is, of course, not new — nor is the trend of increasing threatening behavior. In Akamai’s State of the Internet / Security, A Year in Review 2019 report, we can clearly see a steady rise in web application attacks from 2017 to 2019. 

WAFBlog2_9.8.jpgOn Akamai’s platform, for the period ending June 30, 2020, we observed 35% year-over-year increases in web application attacks, and 350% year-over-year increases in malicious login attempts. Our teams have also recently reported on the fact that large DDoS attacks are increasing, including attacks of more than 100 Tbps. So the need for robust security controls should be apparent, yet businesses continue to struggle with unprotected servers and misconfigured security controls.

As businesses continue to accelerate the development of new applications, they face the very real challenge: Their application teams are not security experts. As Jaspal Jandu, the group CISO at DAZN, explained to Akamai, businesses are “balancing the need to innovate and be agile against the risks … in an environment where users demand constant innovation and cutting-edge entertainment opportunities.” There is a persistent and growing tension within a business to implement vigorous security controls, while not impeding innovation or compromising growth.


This tension can result in shadow IT operations, where teams without a background in application security expose unprotected apps to the public internet. These teams often do not realize their application requires protection, or there isn’t some inherent security built into the platform or service they have selected. To help application teams establish a security baseline, the Open Web Application Security Project (OWASP) created a standard awareness document for developers. It represents a broad consensus about the most critical security risks to web applications, called the OWASP Top 10.  

Even when teams attempt to follow these fundamentals, misconfigurations are a common challenge. Recent examples of fallout from misconfigurations include the massive 1.3 Tbps Memcached UDP-reflection attack, which stemmed from compromised servers that should never have been exposed to the internet, and a misconfigured web application firewall (WAF) resulting in the theft of 100 million consumer credit card applications. 

All too often, content breaches result from poor protections like weak passwords, a lack of role-based access control, or a configuration control problem — i.e., “this endpoint should never be accessed because it was designed only for internal use.” In many cases, application development or site owners did not protect their content with a WAF because they felt it would be too restrictive or too cumbersome to manage. This challenge has led most WAF providers to implement baseline controls, managed rule sets, and managed security services in an attempt to help teams improve protections.

At Akamai, our teams are constantly working to educate our customers on the need for robust security controls. Our market-leading security solutions provide integrated and adaptive security controls including DDoS protection, web application and API protection, bot management, identity and access management, and more. We recognize that getting started with security can be a challenge, so we offer services including threat assessments, architecture reviews, fully managed monitoring, and security operations options.

If you have concerns about your security posture, consider starting with a readiness and response assessment today.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Ari Weil. Read the original post at: