ABSTRACT

According to the Web Application Security Consortium

(WASC), a Web application firewall (WAF) is defined as

“an intermediary device, sitting between a Web client and

a Web server, analyzing OSI layer-7 messages for viola-

tions in the programmed security policy. A Web applica-

tion firewall is used as a security device protecting theWeb

server from attack,” and Web application security is

defined as “theory and practice of information security

relating to the World Wide Web, HTTP, and Web applica-

tion software. It is also known as Web security.”[1]

Furthermore, WASC classifies WAF as “a new breed of

information security technology designed to protect

Websites from attack. WAF solutions are capable of pre-

venting attacks that network firewalls and intrusion detec-

tion systems can’t, and they do not require modification of

application source code.”[2]

SECURITY LAYERS

Figs. 1, 2, and 3 illustrate in a rather simplistic form the

security layers of an information system and the typical

generic class of controls used to secure each layer.