A key strategy to shifting security left is transferring perimeter-focused safety options down the stack by putting them in entrance of companies and different infrastructure parts, comparable to containers and container orchestration programs or API administration programs and gateways.
Whereas this does permit for extra granular safety, it is not a free lunch for builders. Simply saying “The WAF will cease it” subverts all the considering and function of shifting left. Moderately, builders should transfer from considering of Internet software firewalls (WAFs) as a prophylactic, to as a substitute considering of WAFs as a vital a part of their safe coding take a look at course of. Here is how they’ll accomplish that.
The Explosion of WAFs and Cloud-Native Software program
Whereas many corporations nonetheless deploy WAF home equipment, the fastest-growing section of this market is WAF software program that runs within the cloud. With the rise of cloud-native architectures and ephemeral infrastructure, extra organizations are placing WAFs deeper into their software stacks — proper in entrance of microservices. Some are even utilizing WAFs for inner safety to enact strong zero-trust frameworks. So, the brand new actuality is, builders are much more prone to come into shut contact with WAFs at the moment than at any level previously. That mentioned, WAFs at the microservice level are not foolproof.
Earlier than Deploying the WAF: Safe Coding Is Important
To begin, builders should create purposes underneath the belief that each one safety controls can and can fail. That is vital as a result of it encourages them to construct purposes which can be safe by default. Safe coding means utilizing fundamental design ideas — like code minification to obscure code — whereas guaranteeing that each one variables and calls are checked towards the OWASP Top 10
vulnerability listing. There are dozens of ways in which attackers can exploit poorly written code, together with SQL injection, cross-site scripting, damaged entry controls, and file add vulnerabilities.
A key a part of this effort is to make sure builders are operating linters and formatting checkers towards all code. Often, you want builders to run code by means of software program composition evaluation (SCA) to establish dangerous dependencies and libraries that require updates. A safe coding course of and mentality is extra crucial now as a result of cloud-native microservices have turned safety inside out.
At this level, the applying safety or DevSecOps groups run the code towards some kind of simulation and add the WAF. For a lot of builders, that is the top of the story. They assume, “We have now deployed a WAF. We’re secure now.” They’re fallacious. More and more, the purposes builders ship microservices, linked through APIs. Builders “personal” their microservices and APIs and are chargeable for safety. The microservices and APIs could have extremely particular guidelines and optimizations that may impression WAF behaviors and insurance policies. Every software is totally different, and lots of distinctive APIs emerge.
For microservices, builders are inclined to quickly ship code and make quicker iterations on microservices as a result of these smaller purposes are loosely coupled and don’t impression different purposes. That makes for higher agility but in addition higher safety danger if the modifications are usually not run by means of the identical cumbersome safety course of as noticed at software launch.
Studying to Assume Like a WAF Operator
Builders ought to at all times ask themselves earlier than they ship code, “How will this impression my WAF protection and safety posture?” This query is sweet as a result of it teaches them to consider how WAFs are working and never working — in different phrases, risk modeling.
Menace modeling is crucial as a result of there are identified ways in which attackers work round WAFs or exploit WAF weaknesses. For instance, by default, Kubernetes exposes APIs for companies and connections. Locking down Kubernetes APIs with out messing up performance is notoriously tough, notably should you’re altering the purposes and repair calls within the purposes frequently. Not too long ago, Shadowserver Foundation calculated that 84% of Kubernetes APIs servers had left themselves uncovered to detection on the general public Web.
Understanding a WAF is a key precursor to risk modeling and, by extension, considering like a firewall operator. Some WAF comprehension is tacit data. As an example, tuning a WAF to restrict false positives and false negatives to an appropriate stage stays difficult. Builders trying to shift left can piggyback on skilled WAF operators to be taught the tuning course of and, in flip, higher perceive how the WAF responds to real-world visitors. At present, some organizations additionally deploy machine studying to assist builders simply tune their WAFs by making rule and coverage solutions based mostly on unsupervised studying throughout a number of WAFs.
Higher WAF Comprehension Results in Extra Safe Code
Even higher, good WAF comprehension additionally transfers over into safer coding. Builders that intimately perceive WAFs — and have hands-on expertise tuning them — profit from tacit data that’s tough to show, and expertise that goes past Open Internet Utility Safety Undertaking (OWASP} checklists. An equally good follow is, in a secure setting, to have builders work alongside red-team members to see how a wise attacker would possibly compromise their apps and bypass default WAF settings.
The underside line is easy: Builders, take time to know your WAF and be taught its weaknesses. WAF knowledge will show you how to write safe code now and save your apps from being hacked sooner or later.