Back to blog

Follow and Subscribe

How to choose the right WAF

Ashley Hurwitz

Content Marketing Manager, Fastly

Applications and APIs are the backbone of modern businesses. They power customer interactions, process sensitive data, and drive revenue. However, the growing reliance on these digital assets makes them attractive targets for cyberattacks. Web application firewalls (WAF) are built to secure applications and APIs, but because they’ve been around for decades, there are massive discrepancies between vendors. To make matters worse, buyers are bombarded with marketing claims and technical jargon, making it difficult to truly differentiate between them. Have no fear, we’re here to help with guidance on WAF features and capabilities that are crucial to your organization.

WAF must-have features

A few starting requirements are necessary for a WAF solution to even be considered. The OWASP Top 10 outlines the top ten most critical risks for web applications. If a WAF can’t identify and block the OWASP Top 10, it leaves you vulnerable to the most dangerous threats. 

Other essential WAF features include support for IP/CIDRs, GEO, and ASN allow/block lists. These features let you take broad strokes against malicious traffic by allowing or blocking traffic based on IP addresses, geographic locations, or Autonomous System Numbers (ASNs). This reduces the burden on your security team by minimizing the need for a multitude of complex, granular rules. However, granular policy enforcement remains crucial. A WAF should allow you to define rules with varying levels of detail, applicable globally, for groups of domains, or for individual domains. This ensures a balance between efficiency and customization for different applications or regions.

A comprehensive solution offers a layered defense against various web applications and API security threats. Some vendors have adopted the term web application and API protection (WAAP), first coined by Gartner, to refer to their solution. Most WAAP platforms begin with a WAF and other capabilities are either included or provided as add-on components. Depending on your organization’s needs, you may need all of these capabilities or a subset. 

Let’s consider all components below as part of the overall WAF solution: 

Bot Mitigation

Protects against automated bots that can scrape data, launch denial-of-service attacks, or engage in credential stuffing while allowing good bots and human traffic. Bot mitigation employs various techniques like CAPTCHA and JavaScript challenges, client fingerprinting, and IP reputation checks to identify and block automated bot traffic. Bot mitigation solutions should have the granularity to differentiate between good bots (e.g., search engine bots) and bad bots (e.g., scraper bots).

DDoS Protection

Safeguards your applications and APIs from Distributed Denial-of-Service (DDoS) attacks that overwhelm systems with traffic, causing outages. WAF solutions can mitigate DDoS attacks by filtering malicious traffic, absorbing attack traffic volume, and maintaining application availability. Attacks can come at different layers in your network, so a solution that offers Layer 3/4 and Layer 7 DDoS protection will provide greater protection than just a Layer 7 solution.

API Security

Many modern applications rely heavily on APIs to connect and exchange data. WAF solutions should offer specific security controls to protect APIs, including authentication, authorization, and API traffic monitoring. With API security, you’ll want to ensure the WAF supports your API formats (REST, GraphQL, gRPC, etc).

Web application firewalls are a critical part of your security infrastructure, but they’re not all created equal.

Learn more

Threat Intelligence for proactive security measures

While not a core component, threat intelligence is a valuable addition to a WAF solution. It provides real-time insights into evolving cyber threats and attack methods with the goal of allowing security teams to be proactive in their defense. First-party IP reputation intelligence feeds, updated daily, offer more accurate and stronger security. This prevents yesterday's malicious activities from affecting today's legitimate traffic, especially from shared IPs. 

When evaluating IP reputation intelligence, consider whether it’s presented as a binary (attacker/legitimate traffic) or a risk score. While both are additive, risk scores present questions of what arbitrary expression was used to create it, how often it’s updated, and how to treat a risk score of 59 vs. 65 without inadvertently impacting legitimate users and creating a spike in false positives. A system with high accuracy can bypass that complexity and simply let you block attackers, and let legitimate traffic through without false positives.

How to choose the best WAF for your organization

Keep in mind that a WAF is not a one-size-fits-all solution! Businesses must thoroughly evaluate a WAF’s deployment, configuration, management, and security capabilities to ensure that it fits their web application security needs and seamlessly integrates into their infrastructure.

If you’re looking for further help assessing your WAF options, download the Essential WAF Buyer’s Guide. This guide aims to bridge the information gap so you can make a confident decision. Discover what to look for in a modern-day WAF so you can better protect your apps and APIs both today and into the future.