A key method to shifting safety left is shifting perimeter-focused safety options down the stack by putting them in entrance of providers and different infrastructure parts, similar to containers and container orchestration techniques or API administration techniques and gateways.
Whereas this does enable for extra granular safety, it is not a free lunch for builders. Simply saying “The WAF will cease it” subverts the complete considering and function of shifting left. Relatively, builders should transfer from considering of Internet utility firewalls (WAFs) as a prophylactic, to as an alternative considering of WAFs as an important a part of their safe coding take a look at course of. This is how they’ll accomplish that.
The Explosion of WAFs and Cloud-Native Software program
Whereas many corporations nonetheless deploy WAF home equipment, the fastest-growing section of this market is WAF software program that runs within the cloud. With the rise of cloud-native architectures and ephemeral infrastructure, extra organizations are placing WAFs deeper into their utility stacks — proper in entrance of microservices. Some are even utilizing WAFs for inside safety to enact strong zero-trust frameworks. So, the brand new actuality is, builders are way more more likely to come into shut contact with WAFs as we speak than at any level up to now. That stated, WAFs on the microservice degree usually are not foolproof.
Earlier than Deploying the WAF: Safe Coding Is Crucial
To begin, builders should create functions below the idea that every one safety controls can and can fail. That is vital as a result of it encourages them to construct functions which can be safe by default. Safe coding means utilizing primary design ideas — like code minification to obscure code — whereas making certain that every one variables and calls are checked in opposition to the OWASP Prime 10
vulnerability listing. There are dozens of ways in which attackers can exploit poorly written code, together with SQL injection, cross-site scripting, damaged entry controls, and file add vulnerabilities.
A key a part of this effort is to make sure builders are operating linters and formatting checkers in opposition to all code. Often, you want builders to run code via software program composition evaluation (SCA) to establish dangerous dependencies and libraries that require updates. A safe coding course of and mentality is extra essential now as a result of cloud-native microservices have turned safety inside out.
At this level, the appliance safety or DevSecOps groups run the code in opposition to some form of simulation and add the WAF. For a lot of builders, that is the top of the story. They assume, “We have now deployed a WAF. We’re secure now.” They’re incorrect. More and more, the functions builders ship microservices, linked through APIs. Builders “personal” their microservices and APIs and are answerable for safety. The microservices and APIs might have extremely particular guidelines and optimizations that may impression WAF behaviors and insurance policies. Every utility is totally different, and plenty of distinctive APIs emerge.
For microservices, builders are inclined to quickly ship code and make quicker iterations on microservices as a result of these smaller functions are loosely coupled and don’t impression different functions. That makes for higher agility but in addition higher safety threat if the adjustments usually are not run via the identical cumbersome safety course of as noticed at utility launch.
Studying to Assume Like a WAF Operator
Builders ought to all the time ask themselves earlier than they ship code, “How will this impression my WAF protection and safety posture?” This query is sweet as a result of it teaches them to consider how WAFs are working and never working — in different phrases, risk modeling.
Menace modeling is essential as a result of there are identified ways in which attackers work round WAFs or exploit WAF weaknesses. For instance, by default, Kubernetes exposes APIs for providers and connections. Locking down Kubernetes APIs with out messing up performance is notoriously tough, significantly when you’re altering the functions and repair calls within the functions regularly. Just lately, Shadowserver Basis calculated that 84% of Kubernetes APIs servers had left themselves uncovered to detection on the general public Web.
Understanding a WAF is a key precursor to risk modeling and, by extension, considering like a firewall operator. Some WAF comprehension is tacit information. As an illustration, tuning a WAF to restrict false positives and false negatives to an appropriate degree stays difficult. Builders trying to shift left can piggyback on skilled WAF operators to be taught the tuning course of and, in flip, higher perceive how the WAF responds to real-world site visitors. As we speak, some organizations additionally deploy machine studying to assist builders simply tune their WAFs by making rule and coverage recommendations based mostly on unsupervised studying throughout a number of WAFs.
Higher WAF Comprehension Results in Extra Safe Code
Even higher, good WAF comprehension additionally transfers over into safer coding. Builders that intimately perceive WAFs — and have hands-on expertise tuning them — profit from tacit information that’s tough to show, and expertise that goes past Open Internet Software Safety Mission (OWASP} checklists. An equally good observe is, in a secure setting, to have builders work alongside red-team members to see how a sensible attacker would possibly compromise their apps and bypass default WAF settings.
The underside line is straightforward: Builders, take time to know your WAF and be taught its weaknesses. WAF knowledge will assist you to write safe code now and save your apps from being hacked sooner or later.