1

Recently, my brother suggested me to use mod_security. I did a research what it truly is and what it does, but I feel very uneasy to decide whether should I use it or not. Here is what in my mind that keep me from not using it.

  • Slightly affect my website performance. The more rules, the slower it will get.
  • It does not completely filter all the attacks (it is understandable, because it is not possible for any software to truly protect everything).
  • Sometimes, it can block innocent users.
  • Add another software means add another responsibility to maintain it.

Now the real question is:

  • If mod_security cannot filter everything, and you still need to make sure your web application is secure, why not properly write a secure web application without running any Web Application Firewall?

  • Since it is our web application, we know better than any 3rd-party software what expected input from users. Having 3rd-party software to detect the attack and then write a input validation in our web application is like a double-check (while it is good, but the performance cost would be double as well).

neuro
  • 14,948
  • 3
  • 36
  • 59
invisal
  • 11,075
  • 4
  • 33
  • 54

1 Answers1

1

In the scenario you describe, where you have a custom application written by developers who care about security, I agree that WAFs offer nugatory value as an intrusion prevention system.

The idea that WAFs are effective in automatically providing unknown web apps is industry marketing spin of the worst kind. They provide exceedingly poor performance(*) if not painstakingly configured to fit the application; unless you have a separate security team that has the resources to do that, it is typically indeed better to spend the resources on secure development.

(*: as in protection afforded vs time and custom lost due to false positives; mod_security's core rules are IMO particularly troublesome.)

WAFs are, on the other hand, useful:

  • as temporary workarounds to allow you to protect legacy and third-party applications with specific known vulnerabilities until such time as they can can be fixed or replaced;

  • configured as intrusion detection systems, raising alerts rather than blocking, where you have operational resources to follow up and potentially block attack sources.

bobince
  • 528,062
  • 107
  • 651
  • 834