Webscale’s Cloud Web Application Firewall Takes SaaS Approach to Web App Security

For web site and application operators, attacks at the application layer can be varied – and catastrophic. Webscale is adding a SaaS-based firewall to its cloud-based web application delivery platform.

Tags: applications, cloud, firewall, OWASP, SaaS, security, web, Webscale,

For web site and application operators, attacks at the application layer can be varied – and catastrophic. Webscale is offering a SaaS-based firewall designed to protect web apps from erroneous code being deployed, site content being altered or user data being stolen via vulnerable backdoors.


The Webscale Cloud Web Application Firewall (WAF) is the company’s latest addition to its cloud-based web application delivery platform rich with a-la-carte solutions to ensure performance, reliability and security of critical web apps, according to Webscale CEO Sonal Puri. 


Webscale’s Cloud WAF is “completely application aware,” making it different from the many traditional WAF solutions, which work at the ‘edge’ of a web application, Puri said.  


”With its deep visibility into the underlying infrastructure, Webscale is completely application aware, enabling it to identify anomalies and issue resolutions before disruption is caused, whether they be at the browser level, or at the application backend,” she explained.


Further, because it is a SaaS, cloud based system, it can “learn” about new attacks by monitoring thousands of customers.  Any steps taken to fight off an attack or remedy a vulnerability is immediately distributed across the entire base. “That is the beauty of a SaaS platform versus an appliance,” she said. 


Available immediately, WAF enables every application with an enhanced level of security, avoiding downtime or performance degradation through malicious attacks, such as distributed denial of service (DDoS), she added.


Inside Webscale’s Cloud WAF Approach – Combining Cloud, Community and Real-Time Remediation 

“Webscale’s Cloud WAF is the first to focus on critical e-commerce platforms and integrate application awareness by building out robust protection for both data traffic at the browser level, and the complete backend application infrastructure, in a single ‘as-a-Service’ [cloud subscription] solution,” Puri added.


In a recent blog post, Puri also shared perspectives on the growing rise in headline-grabbing web app vulnerabilities: 

Have business owners wondered why we still hear about websites crashing when too many people try to get in? Stories were rife during the recent 2016 Black Friday and Cyber Monday events with big names like Old Navy, Macy’s and Walmart, all experiencing availability issues due to surge traffic, even though these businesses have been around for decades and have adequate budgets to support their needs.

Part of the problem is that many companies are still using traditional hosting and networking solutions for the scale, security and management of their websites, and web applications, instead of the cloud. And the other part of the problem is a lack of expertise in bringing all the disparate pieces of the solution together to solve for the big picture.

She also added details on the technical approaches Webscale uses to fight these threats.  “At the browser level, the Webscale Cloud WAF enables best-in-class HTTPS support with the latest SSL/TLS standards,” she noted.  “This can be done without having to make any changes to the application infrastructure. Deploying SSL/TLS at the Webscale level ensures better offload and encryption from the application servers, enabling more efficient use of infrastructure.”


Further, Webscale’s Cloud WAF provides these capabilities:

Strong blacklisting and whitelisting capabilities that can block or allow requests or sessions by IP address, device type or geographic location.


Protection for sensitive customer information through HTTP/2 support and Service Provider-grade PCI-DSS certification.


Quick detection of problems, identification of solutions and application of fixes through real-time traffic analysis and flexible rules capabilities.


A “Shield Mode” to instantly blocking bad traffic and validating genuine users in the event of a Distributed Denial of Service (DDoS) attack, in order to keep the website fast and available.


Application specific or custom rule sets for each application that may have different security needs though a custom security policy manager that includes over 100 combinations of conditions to detect, together with policies to apply instantly.


Geo-targeting, since certain geographies are associated with security issues and the ability to block requests originating from these geographies is critical to the ongoing support of the application.

The WAF also allows for blocking against the Open Web Application Security Project (OWASP) top 10 threats, which are categorized as:

  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Components with Known Vulnerabilities
  • A10 Unvalidated Redirects and Forwards


Webscale Cloud WAF is included in the Webscale Basic, Pro and Enterprise converged platforms.