APPL-02

Are you using a web application firewall (WAF)?

Explanation

This question is asking whether your organization uses a Web Application Firewall (WAF) to protect your web applications. A WAF is a security tool that monitors, filters, and blocks HTTP/HTTPS traffic to and from web applications. Unlike traditional firewalls that operate at the network level, WAFs specifically protect web applications by inspecting HTTP traffic and blocking common web attacks like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. This question is being asked in a security assessment because WAFs are considered an important security control for protecting web applications from attacks. They provide an additional layer of defense beyond secure coding practices. Organizations that handle sensitive data are typically expected to implement WAFs as part of their defense-in-depth strategy. When answering this question, you should: 1. Clearly state whether you use a WAF 2. Specify which WAF solution you use (e.g., AWS WAF, Cloudflare, F5, ModSecurity) 3. Mention where the WAF is deployed (in front of all public-facing applications, only critical applications, etc.) 4. Briefly describe how it's configured (e.g., using OWASP core ruleset, custom rules) 5. Note any monitoring or management processes for the WAF If you don't use a WAF, explain what compensating controls you have in place to protect web applications.

Example Responses

Example Response 1

Yes, we use AWS WAF as our web application firewall solution It is deployed in front of all our public-facing web applications hosted on AWS Our WAF is configured with both the AWS managed rule sets (including the OWASP Top 10 core rule set) and custom rules specific to our applications We have implemented rate limiting to prevent brute force attacks, IP reputation filtering, and geographic restrictions where appropriate Our security team reviews WAF logs daily and receives alerts for detected attacks The WAF configuration is updated monthly or when new threats are identified.

Example Response 2

Yes, we implement Cloudflare WAF for all our customer-facing web applications The WAF is configured with Cloudflare's managed ruleset which includes protection against OWASP Top 10 vulnerabilities, as well as custom rules tailored to our specific application needs We operate the WAF in logging mode for 24 hours when implementing new rules to prevent false positives before switching to blocking mode Our security operations team monitors WAF alerts 24/7 and conducts weekly reviews of WAF effectiveness Additionally, we perform quarterly penetration tests to verify WAF configurations are properly protecting our applications.

Example Response 3

No, we currently do not use a dedicated web application firewall Instead, we rely on a combination of other security controls to protect our web applications These include secure development practices following OWASP guidelines, regular code security reviews, third-party penetration testing twice a year, and network-level firewalls with some application-aware filtering capabilities We recognize this is a gap in our security architecture and have included WAF implementation in our security roadmap for the next quarter We have already begun evaluating ModSecurity and F5 Advanced WAF solutions to determine which best fits our environment.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron