Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.
What is the control?
Just like your network firewalls should be configured to deny by default and only allow approved traffic (based on the requirements of your systems and processes), your web application firewalls (WAFs) should be configured to deny any queries that are not in line with expected behaviour (specific web service requests) from clients.
A “deny all” policy ensures that all queries are denied unless they meet the criteria configured in the firewall, which should reflect your web application’s operation, in theory ensuring only good traffic can get through.
Why should I have it?
While web application firewalls typically come from vendors with an existing set of rules meant to catch malicious traffic, they may not be exhaustive and won’t be aware of the specifics of your particular web applications.
By configuring them to deny all queries by default and only allowing those queries of the expected kind (based on query type, parameters, sequence, source, etc.) you effectively make it very unlikely that an attack specific against your infrastructure, which may otherwise not trigger one of the WAF’s generic blocking rules, is able to get through.
This not only protects your web application, its data, and associated infrastructure, but also demonstrates a high level of maturity in building and/or deploying applications since a high level of understanding of how one’s own applications work is required to create the fine-tuned “allow” rules.
Your network security policy should specify that a “deny all” policy applies to your web application firewalls as well as network-layer firewalls.
Note that, due to the tight integration between the WAF configuration and the applications, this means that your testing process and environment should include the WAF components in order to be able to develop their configuration alongside the applications themselves.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.