Secure coding & Defence-in-depth v WAF only

Here are five reasons why secure coding and defence-in-depth are still necessary even if you have a Web Application Firewall (WAF) in place:

1. Your WAF Cannot Protect Against All Vulnerabilities

A WAF primarily defends against specific types of attacks, such as SQL injection, cross-site scripting (XSS), and other known vulnerabilities. However, it doesn't cover all potential vulnerabilities in your application. Secure coding practices help prevent vulnerabilities like:

• logic flaws,
• insecure configurations
• business logic vulnerabilities

any of which a WAF may not be able to detect or mitigate.

2. Your WAF Can Be Evasion-Prone

Sophisticated attackers can bypass WAFs using evasion techniques including:

• obfuscating payloads,
• encoding data,
• employing unusual request patterns.

If your application is not built with secure coding principles in mind, attackers may still find ways to exploit vulnerabilities even if a WAF is in place. Defence-in-depth, including secure coding, ensures that even if a WAF is bypassed, the attack surface is minimised.

3. WAFs Offer Reactive Protection

WAFs are primarily reactive, meaning they protect your application by filtering incoming traffic based on rules and patterns. They can block known attack signatures, but they may not block novel or previously unknown attacks (zero-day exploits). Secure coding helps to proactively eliminate vulnerabilities in your code before attackers can exploit them, reducing reliance on the WAF to catch every threat.

4. WAFs Do Not Protect Internal Systems

WAFs focus on protecting the web-facing part of an application. However, they do not protect against attacks that occur inside the network or from internal sources. For example, if an attacker gains access to a user account or a backend system, a WAF won't stop them from exploiting internal APIs or backend vulnerabilities. Secure coding practices help safeguard the entire stack, and defence in depth ensures your internal systems are secure as well.

5. WAFs Are Not a Substitute for a Security Culture

Relying solely on a WAF can create a false sense of security, leading to complacency in secure coding practices. A WAF is a tool, not a comprehensive security solution. Secure coding ensures that vulnerabilities are avoided or mitigated from the start of development, while defence in depth ensures multiple layers of security, even if one layer fails. It's important to build a security culture within your development team to ensure vulnerabilities are not introduced in the first place.

In summary, while a WAF can be an important component of your security strategy, it should not replace secure coding practices and defence in depth. Both are necessary to reduce overall risk and ensure your application is secure.