Why WAF and Firewall Solutions Will Not Help Against Third-Party Website Attacks
Article updated on April 2022
An interactive, dynamic website is the online face of your business. It is a critical factor in determining the success of your organization. However, at the same time, it presents severe blind spot risks – between the user and your website. In spite of having the best WAF and firewall solutions securing your website, in fact – no matter the perimeter defense for the website, it’s irrelevant, as the third-party attack won’t be monitored or even viewed by those tools.
This article will walk you through the limitations of what a WAF or a perimeter firewall can achieve, and why it’s not enough to handle today’s threat landscape.
Understanding the Traffic in your Environment
So, why are firewall and WAF solutions not good enough? Most secured businesses are already using top brand security perimeters such as firewalls or Web Application Firewall (WAF) solutions on their websites to ward off threats from cybercriminals. They pat themselves on the back, and assume they are reasonably safe from online risks as a result.
However, that would not be enough in today’s ever-changing technology space, especially not with the rise of connected environments.
Its easy to think about all traffic as the same, but in reality there are many kinds of traffic. There is the traditional kind, that comes from the user’s environment to your environment, and this is what a web application firewall protects. Then there is internal traffic, which never leaves your environment, which has increased in the years since the rise of cloud computing. Next-generation firewalls and micro segmentation projects are working to meet this need. Finally, there is the traffic between external sources, both users to third-party traffic and conversely – from third parties to your user. In these cases, your website is used as the connection creator medium, but your WAF would never know the communication has occurred, as it never touches your internal systems or back end server.
Because WAFs and traditional firewalls are blind to the threat, they do not protect you from this kind of “external to external” traffic
This means you’re simply not protected against the risk of third-party threats on the web, which leverage your website to steal data from users. These third parties are already on your website, and may be acting with or without your consent.
This situation demands that you think outside the box.
The Role of Firewalls and WAFs
Both firewall and WAFs protect and monitor the traffic between the end-user and the website. Firewalls put more emphasis on the 3rd and 4th layer of OSI layer architecture, which is the TCP/IP data, while some claim to provide additional support for the application level. WAFs focus on traffic monitoring for the 7th layer, specifically the HTTP requests and malicious craft requests.
Together, this combination should be able to block any attempt to attack your website, or any malicious activity from website visitors or attackers that target website visitors, whether they happen intentionally or accidentally.
And don’t get us wrong. These solutions are powerful! They can protect against attacks such as code and SQL injection, XSS, command injection and authentication bypass as well as DDoS or other misconfiguration issues. But these WAF and firewall solutions only partially cover the threats, and as perimeter defenses, they leave huge blind spots in the shape of third-party risk.
So, What Is the Underlying Problem? Where’s the Blind-Spot?
When you think about the functionality of any business website that uses third-party digital applications, you can assume the following process. A third-party script runs on the client-side, also known as the user browser, and establishes a connection between the end-user and the third-party vendor itself.
By the very nature of this process, the entire connection between the end-user and any third-party on a given website is not monitored by the existing security solutions, usually WAF and firewall solutions. As we said, these are perimeter defense for the website, and don’t monitor the client-side. But it gets even worse. These security tools are not even aware of the communication taking place between both the endpoints.
This basically leaves you no ability to know what any third-party on a given website actually does: where they are running their scripts, how they are communicating with other components or what connection they are making to remote domains.
From a pure privacy point-of-view, these components perform tracking independently. Once again, your capability to detect these kinds of actions, which can’t help but affect regulations from GDPR to CCPA, is severely limited. This is a seriously dangerous blind spot on your website.
Can you guarantee that web behavior of third-parties is secure?
Let’s think about the behavior of these third-parties, and the functionality of any business website that uses them. As these components are mostly third-parties, they load when the user first visits the page. But what exactly is loaded? It can be changed each and every time, depending on the vendor’s profile for the user, whether the user is loading web pages from remote locations, or even based on a new version release from the vendor.
Even if you do use a second layer of security, such as code review or penetration testing, the conclusion is still clear – these kinds of security perimeters will only be relevant for the testing day itself and for several specific use cases, and can’t assure you of your security any further than that.
What would you do, when the vendor releases a new version, fully automatically and already approved to act within the existing connection between this vendor and your end user? What about the vendor’s vendor, the fourth-party relationships you have even less visibility into?
Security controls such as next-gen firewalls or WAF, can defend the web-server from malicious actor’s activities. However, the big question is what can protect the end-users who hold all the data themselves?
You’re looking in the wrong direction
The average security department spends millions of dollars on creating a strong perimeter defense for the website, and validating any code that is about to be uploaded. But these security teams are all missing a big chunk of code: dozens of lines of third-party code, each which can bypass the traditional security processes completely and get access to your most sensitive data, as well as client information that leaves you open to compliance risk and privacy breaches.
Are you willing to be accountable for this blind spot? Well, judging by the latest fines that were issued by the ICO to British Airways, it is evident that the theft of client’s personal data by web third-party scripts is a violation of many privacy regulations. For British Airways, the original fine was $230 million, but in October 2020 it was reduced to “only” $20 million!
No matter how you look at it, you can’t afford to open yourself up to this level of risk. With a bit of foresight, you don’t have to. It can be avoided by deploying the right security solution for your website.
Your indispensable third-parties: “Handle with care”
In this era of enhanced competition, the services that third-party web tools and applications offer are invaluable for enhanced functionality of any business website.
However, ignoring the risk they pose could be your greatest mistake, especially while considering that they have access to your customer’s sensitive and confidential data, and all the information which is residing on your website.
Let’s remember, these components can access and operate your web pages from remote locations. You may think that you have protected your website with the highest degree of security. However, can you guarantee that third-parties that are integrated into the backbone of your website and are authorized by you to perform any operation, will also do the same?
Maybe, or maybe not.