Why WAF Whitelisting is Always Better than Blacklisting

August 4, 2015 John Stauffacher

This is a guest post by John Stauffacher, a world renowned expert in web application security, and the author of Web Application Firewalls: A Practical Approach. John is a certified Network Security and Engineering specialist with over 17 years of experience in IT Security. 

The best approach to web application security is to whitelist the good rather than to blacklist the bad.

Why? It is far simpler to enumerate all that is good within your application than it would be to continually update all of the bad that could possibly be thrown at your application. Your routes, cookies, parameters (and their values) are all known to your organization. Using this information you can create a proposed ‘whitelist’ of all the correct points of entry, cookies, parameters, and values for your application. This whitelist can become your baseline for the application, and any traffic that deviates from this baseline can be considered bad traffic.

A whitelisting approach is far more secure and efficient than continuously enumerating ‘the bad’ in your Web traffic. The bad changes on a daily basis. Web teams that rely on blacklisting find themselves behind the eight ball, chasing the latest zero-day threat and spending countless hours listing every attack vector known to man, writing and updating rules in their WAF and driving themselves crazy. In the end, their WAF becomes a list of attack signatures that looks into the past and fails to stop new threats.

So while the initial process of establishing a whitelist requires a bit more upfront time than blacklisting, you gain a more proactive and robust WAF security stance that doesn’t have to play catch-up with every zero-day threat that comes down the pike.  

Include whitelisting as part of your standard Web application security practice, and make sure to update your list on a regular basis. You’ll be glad you did.

Learn more about getting the most out of your WAF: Five Ways to Optimize Your WAF to Protect Against Bad Bots and The Ultimate WAF Torture Test Webinar.

About the Author

John Stauffacher

John Stauffacher is a world renowned expert in web application security, and the author of Web Application Firewalls: A Practical Approach. John is a certified Network Security and Engineering specialist with over 17 years of experience in IT Security.

More Content by John Stauffacher
Previous Article
Eight Things I Learned from Building Out Our Cloud CDN
Eight Things I Learned from Building Out Our Cloud CDN

The eight things I learned from building out our content delivery network (CDN) that leverages 17 global da...

Next Article
Web Scraping : Everything You Wanted to Know (but were afraid to ask)
Web Scraping : Everything You Wanted to Know (but were afraid to ask)

Everything you wanted to know about web scraping. Advanced scraping technologies, industry targets, legali...