ABSTRACT
According to the Web Application Security Consortium
(WASC), a Web application firewall (WAF) is defined as
“an intermediary device, sitting between a Web client and
a Web server, analyzing OSI layer-7 messages for viola-
tions in the programmed security policy. A Web applica-
tion firewall is used as a security device protecting theWeb
server from attack,” and Web application security is
defined as “theory and practice of information security
relating to the World Wide Web, HTTP, and Web applica-
tion software. It is also known as Web security.”[1]
Furthermore, WASC classifies WAF as “a new breed of
information security technology designed to protect
Websites from attack. WAF solutions are capable of pre-
venting attacks that network firewalls and intrusion detec-
tion systems can’t, and they do not require modification of
application source code.”[2]
SECURITY LAYERS
Figs. 1, 2, and 3 illustrate in a rather simplistic form the
security layers of an information system and the typical
generic class of controls used to secure each layer.