• info@helpingtesters.com
  • helpingtesters

Web Application Firewalls vs. Security Scanners – A Not So Subtle Difference

web application firewalls and security scanners, WAF, Security Scanners, web application firewalls, WAF vs Security Scanners

All testers know that most applications come in 3 basic layers, namely UI, Application, and Database. And when all these layers are chained together, what you get is a functioning web-application. The Open Systems Interconnection (or OSI) model is a categorization of the layers of a datagram packet, from physical all the way to, for example, a web application.  When we do firewall, we are often working in Layer 2 or Layer 3, which is much simpler — MAC addresses, IP addresses, packet headers, etc., these are easy to extract and work with.  However, all the way up at Layer 7, the content is completely dynamic, consisting of HTTP headers, binary data, and a mess of standards, so filtering on this content can sometimes border on the impossible. There is also protection of the web application through web application firewalls and security scanners. 

IPv4 OSI model

To protect this layer, administrators will often turn to using a web application firewall (WAF), sitting it in front of their web applications.  This is good, but often not enough.  A WAF can mitigate active threats, but to secure your web applications before the WAF even needs to protect them, you should also employ the use of a web application security scanner. Here we will see how web application firewalls and security scanners protect the web application and prevent it from edge attacks.

What Is A Web Application Security Scanner?

Web application security scanners do have some similarities to a WAF, such as detecting threat patterns in a request or content.  But the biggest and most important difference is they operate within different realms of time.  This sounds existential, but not really. Rather, a WAF is reactive — it responds to active threats as they happen — whereas a scanner is proactive — it finds threats before they can exist in production.

Scanners do this by autonomously walking through your web applications, be they rendered websites or REST APIs, and attempting a wide variety of known and potential web application vulnerabilities. The best scanners can even automatically learn and provide realistic examples of confirmed exploits against your web applications.  This allows you to tackle potential vulnerabilities before a WAF even needs to block them.

Which Is Better between Web application firewalls and security scanners?    

We would not necessarily say one is “better” than the other — each presents its own unique advantages in different areas — but there is indeed a stronger argument in favor of being proactive rather than reactive.  Obviously, the less a WAF has to hopefully catch, the better off you are.  Removing risks from your web applications before they hit production is a clear win.

A web application security scanner can also be integrated into your SDLC (software development life cycle), which is something a reactive security component cannot provide (bug-fix tickets and such notwithstanding).  As part of their continuous integration tests, a QA engineer can use a scanner to ensure build security requirements are met.  Scanners also offer a valuable asset to security teams by providing an information-rich audit system, increasing the overall security posture of the company.

Do I Need A Web Application Security Scanner?

Yes, of course!  There are many uses for reactive security, such as threat detection and mitigation, real-time alerting and analysis advantages, and providing rich monitoring data for a security information and event management (SIEM) system.  However, as we have acknowledged, this is only reactive, as the event is happening.  A web application security scanner can only better supplement an existing security stack.  Like with the OSI model, web application security is built in layers, and also like with the OSI model, certain tools are purpose-built for securing those layers (Layer 2 and Layer 3 switches, for example).

A WAF can never do what a web application security scanner does, and vice versa — they serve different purposes at different times.  So it is always best to deploy both since they, in fact, complement each other, both acting to secure your web applications against the utterly infinite possibilities that exist in Layer 7.  Indeed, adding a web application security scanner protects a layer of your software development life cycle that may not have been well protected, if at all.

Any web application should be scanned for security through Firewalls and Scanners, but there is no subtle difference between web application firewalls and security scanners.

About the author

Vaibhav Singhal author

Vaibhav is in software testing since a decade. Worked with different testing techniques along with exploratory testing. Performed different regression, performance, api etc testing with tools and libraries like selenium, jmeter, loadrunner, protractor, rest assured, Katalon Appium and others.

Leave a Reply

Your email address will not be published.