Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

06) Does your organisation review its WAF rules at least annually?

August 30, 2022
Network and Cloud Security
WAF Rule Review
Web Application Firewall Rule Review

Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

What is the control?

Just like with network firewall rules, it’s important to periodically review your web application firewall (WAF) rules to ensure that the configuration is as expected and that your process is effective.

Why should I have it?

A regular review of firewalls rules is important in order to validate that the configuration is effective and that your processes synchronising application requirements to your WAF rules (as part of your “deny all” policy) are working.

Over time it’s possible that errors occur in the implementation of your processes around updating your WAF configuration to match your web applications. Things may be configured incorrectly or omitted, resulting in possibly overly relaxed rulesets. A regular review of your WAF rules helps detect these errors, providing assurance in the effectiveness of your processes and input for improvements should there be adverse findings.

How to implement the control

A policy should be implemented stating that WAF rules are reviewed at least annually to ensure that they are up to date an optimised to be as restrictive as possible.

Ideally, all your web application changes, including what queries are expected (and their format), should be documented as part of your development and change processes. This information can then be used as part of your firewall review process in the same way it should have been used to establish the rules at the time of the change.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.