David Strom has written a practical guide on How to Buy a Web Application Firewall. To start, says Strom, "read up on these products from OWASP here. This is a consortium of vendors and leading Web security developers who have tried to put down in one place what you need to know to build the best possible Web applications and protect them from harm. They have a comprehensive vendor list, a collection of best practices, sample "top-ten" attacks that you can use to harden your own applications and an evaluation guide."
Then, ask (and answer) these questions:
- Can the product decrypt SSL traffic streams and examine potential exploits that are in these payloads?
- How much inbound and outbound traffic can the appliance handle?
- How quickly can they learn about your traffic patterns and translate them into implemented and useful policies?
- How much of the Payment Card Industry (PCI) Data Security Standard (DSS) requirements do they automatically handle?
- Do you already have anti-virus, load balancing, proxy servers, or intrusion protection devices? If so, look for Web application firewall add-ons to your existing products or those that combine two or more protective technologies.
Check out the full article at the link below for an introduction to web application firewalls, a list of vendors, and how the questions above can help you choose the best web application firewall for your organization.