The AWS WAF (Web application firewall) protects your web servers from malicious attacks from the internet and provides DDoS protection at a very low cost compared to all other available solutions. With so many automated bots looking to exploit vulnerabilities, you can be hacked even if you’re not targeted. Once a bot scan has found you susceptible to a certain vulnerability, it will extract as much information as possible. In today’s world, you must take active steps to protect yourself before something bad happens.

Typically, you fully open up your web application to the internet. For example, in most cases you allow any request going to port 80 or 443 to go directly to the web server, without any filtering, and leave it up to the web server on whether or not to respond. This is like not locking your front door because you like your neighbors. We all lock our doors because we don’t want strangers rifling through our drawers, so why would we let anyone come to our web servers and send it any request they like?

You know that you shouldn’t, but security is really hard to implement and maintain.

AWS WAF can make security highly automatable. Everything can be configured and updated with an API so that it can be integrated into your development and test workflows. However, as usual, AWS provides us with some but not all of the building blocks you need to operationalize this process.

AWS WAF provides a few layers of security that we can take advantage of:

  • General and known vulnerabilities (OWASP)
  • DDoS attacks
  • Custom filtering to allow only what your application needs (HTTP Methods, URLs, post data, etc)

Using the AWS WAF solution without being a security expert starts you down the right path - you’ve locked your doors but not your windows. It provides you protection with default rules, but those rules have not been updated since it was created in June 2017. Vulnerabilities are constantly changing and you should update these rules to defend against these new threats.

Now, let’s think about your specific application. You should create rules to detect and limit traffic to your application to further reduce the attack surface:

  • Endpoint path URLs
  • HTTP Methods
  • Required/deny headers
  • Type of PUT/POST data that you want

By providing the appropriate amount of access for your web application, you reduce the risk of unknown vulnerabilities. Limiting unnecessary access means less availability for someone to exploit your application with. Don’t leave your window open to the world.

This requires you to add the WAF into your software development life cycle (SDLC). By adding the WAF into your development and test processes, you can treat these rules as part of your software. The AWS WAF can be created via the AWS API and can be fully integrated into a CI/CD workflow. When your web application changes, you should always reassess your security and update it as necessary. During the end to end tests, the updated WAF rules can be applied by automation and tested to ensure everything still works as designed before hitting production. This will also allow your security team to easily contribute and assess your application security. They can make changes and test those changes in their own sandbox area without affecting other developers or live systems.

Good security practice involves layers and defense in depth that are being constantly updated to keep it current and customized to your application. Security must be one of your main software features, something that is continually improved and updated to fit your needs.