Ask HN: Are Web Application Firewalls Necessary?
I am operating cloud based SaSS and finding it very difficult to find a good solution that works well with many custom domain names, SSL, etc. I already have SQL injection protection. Do these solutions offer enough security to offset the hassle, potential performance degradation and an additional point of failure they introduce?
4 comments
[ 3.0 ms ] story [ 22.6 ms ] threadYou might protect your web-facing service, but what about someone already inside your network (RAT)?
WAFs are an additional measure, that you probably can't deploy between each pair of machines that communicate together. Have someone perform a pentest, see how bad it is. Also, they're expensive, more so than a check for weird chars in a comment field.
Most of them are just a ruleset of common basic SQL injections that it hopes to detect and block. If it even actually works the attacker just changes a few characters and easily gets past the block.
You are better fuzzing, using the ruleset to test your code in development detect the SQL injections and fix them. Now your code is secure, there is no extra setup, there is no extra latency, there is no extra complexity, there is no way around this security, its secure security.