Can I be safe with Web Application Firewall

Question 1

There is no 99% sure, the only way to be 99% sure is to "unplug the Ethernet cable" (figuratively speaking, I realize it's all virtual), and even then it's not 100%.

I would recommend running PCI Compliance scans, it is relatively inexpensive and it will give you an idea what known vulnerabilities your server/app is vulnerable to. You can also do penetration testing, there are many services for that, it will provide additional insights.

Question 2

In a word - no.

As Bruce Schneier says, security is a process, not a product. A web application firewall is a good idea - it's like putting a lock on the front door. But if the backdoor is wide open, that's where an attacker will try to gain access to your system.

It won't protect you from infrastructure vulnerabilities (operating system, PHP etc.). It won't protect you from poor password choices, or application level bugs. It won't protect you (probably) from SQL injection attacks, and there may still be XSS opportunities.

Question 3

There is no automatic way to detect or correct vulnerabilities, including XSS. Trying to block "bad" incoming requests is inherently unreliable because there is no way to tell what kind of request would be interpreted badly by the application without in-depth knowledge of the application.

A WAF by default has no knowledge of the application and can only make dumb guesses. This means you will both underblock (allowing through harmful requests) and overblock (getting in the way of legitimate users). The common rulesets (such as mod_security CRS) have many questionable rules which will cause operational issues to many kinds of application; a naïve deployment like this will cause you more problems than it solves.

To make a WAF do anything much useful you have to configure it to match the application, which needs some in-depth knowledge of what kinds of input are or aren't expected. If you are the developer of the app you will probably find that putting input validation in at the application layer is simpler than trying to configure the WAF to do it.

WAFs are useful:

to enforce basic HTTP validity, where you don't have another front-end server doing that already;
as intrusion detection systems, to alert you when an attack is likely to be underway (greater than normal quantity of suspicious traffic);
when you aren't the developer of an app and don't have a way to fix it, to apply workarounds to block a known app vulnerability in a layer outside;
in learning mode, to gather information about an unknown app that you can then use to configure it more appropriately.

But the idea that you can develop an app without thinking about security and then magically fix all problems by dropping a WAF in front is absurd.

Question 4

Its possible if using WAF with White-List strategy and configuring your personal access policy.

Question 5

Security infrastructure is necessary, such as Janusec Application Gateway :

Internet <---> Application Gateway (with WAF) <---> Application Front Server <---> Appliation Bunisess Logic <---> Application Data Access Layer <---> DB Server

Security infrastructure may help decrease risks such as private key leakage, CC attacks, web vulnerabilities, but they cannot block 100%.

A good application architecture, SDL flow (technical review, code review, scan), cache mechanism may help building a robust system.

Question 6

The answer is NO. One cannot have a full-proof with any WAF out there. It is because WAF works on signatures and if there are any new vulnerabilities out there, WAF could not look into it.

Also, there are other concerns like multiple encoding, POST body with larger length, BOT activity etc., which are much more sophisticated to identify.

There are also WAF providers like Akamai who have more threat intel and sophisticated Bot Management. Again, this is not 99% proof but companies like this are into WAF business since years and they might have better insights.

I hope this answers your query!