Ask HN: Do you use Web Application Firewall (WAF)?
I am wondering if it is worth the extra protection of using a WAF or is it ok to rely on our application code to protect against XSS, SQL injection etc. type of attacks? This is for a new cloud application that we are launching. I am leaning towards using a WAF since this is a enterprise/business application. Also, are there any specific products you would recommend? I have been reviewing how to configure the rules in HAProxy/mod_security but am wondering if it is just safer to rely on commercial product. Any suggestions or experiences?
9 comments
[ 3.1 ms ] story [ 34.4 ms ] threadWhile you can rely on your app to have its own security, it never hurts to have extra (unless latency is a concern).
I'd start with an open source version and move up to a commercial product if its necessary.
A proper threat and risk analysis should be done so you can have a cost-effective solution. Security is expensive and maybe the cost of a breach is way cheaper than the security appliance or experts you hire.
Sometimes the best security solution is not to have anything, because it doesn't really matter.
In my opinion, if the threat could actually be defined, then there would be no security industry. Everyone would know the answer, and everyone would be secure. The reason this industry exists is because you cannot define the threat, it is constantly evolving. Doing nothing because it does not matter (really?), or justifying a lack of security by lowering the value of the customer's data sounds like an unprofessional approach.
If you're going to do something WAF-y, my recommendation would be modsecurity.