Estimates on the effectiveness of web application firewalls against targeted attacks

Purpose – The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF. Design/methodology/approach – Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method. Findings – The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures. Research limitat...

[1]  A. O'Hagan,et al.  Statistical Methods for Eliciting Probability Distributions , 2005 .

[2]  R. Cooke Experts in Uncertainty: Opinion and Subjective Probability in Science , 1991 .

[3]  Roger M. Cooke,et al.  TU Delft expert judgment data base , 2008, Reliab. Eng. Syst. Saf..

[4]  L. Cronbach Coefficient alpha and the internal structure of tests , 1951 .

[5]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[6]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[7]  Robert L. Winkler,et al.  Combining Probability Distributions From Experts in Risk Analysis , 1999 .

[8]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[9]  William K. Robertson,et al.  An empirical analysis of input validation mechanisms in web applications and languages , 2012, SAC '12.

[10]  Mathias Ekstedt,et al.  Success Rate of Remote Code Execution Attacks - Expert Assessments and Observations , 2012, J. Univers. Comput. Sci..

[11]  Marco Vieira,et al.  Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[12]  Mathias Ekstedt,et al.  Effort Estimates for Vulnerability Discovery Projects , 2012, 2012 45th Hawaii International Conference on System Sciences.

[13]  S. Tamer Cavusgil,et al.  Mail survey response behavior: A conceptualization of motivating factors and an empirical study , 1998 .

[14]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[15]  Mathias Ekstedt,et al.  Effort Estimates on Web Application Vulnerability Discovery , 2013, 2013 46th Hawaii International Conference on System Sciences.

[16]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[17]  David J. Weiss,et al.  Empirical Assessment of Expertise , 2003, Hum. Factors.

[18]  Mathias Ekstedt,et al.  A Metamodel for Web Application Injection Attacks and Countermeasures , 2012, TEAR/PRET.