Contact Us

The benefits of dual web application firewall:
Activating your frontline
security

Authors: Richard Yew, Principal Product Manager,
Security | Jonathan Stock, Product Marketing, Security

Many development teams have found continuous integration/continuous delivery (CI/CD) practices to be an excellent way to meet the challenges of a rapid software development life cycle (SDLC). However, CI/CD relies on agile practices and flexible tools; overreliance on outdated systems can place roadblocks to deployment. Nowhere is this more apparent than with legacy web application firewalls (WAFs) which, because they need frequent mandatory updates, can cause costly downtime and service disruptions.

Why dual firewalls are essential for rapid and secure development cycles

Verizon’s Dual WAF technology offers a useful solution for integrating WAF security within a CI/CD pipeline. By providing an audit WAF that works in tandem with a production WAF, Dual WAF technology puts teams in full control of their most essential defensive tool. The audit WAF, which directly monitors live traffic data, enables developers to test patches and new rule sets without disrupting ongoing WAF security. Developers can monitor the potential effects of their changes in real time and immediately swap successful updates to the production system without delays or disruption.

By bringing WAF access directly into the development pipeline, Dual WAF provides several distinct advantages for CI/CD execution:

  • Because the audit WAF operates independently of the production WAF, development teams and quality assurance engineers have the access they need to design, implement and automate testing frameworks
  • As the audit WAF operates on live traffic data, all metrics correlate exactly to live conditions
  • Since all changes on the audit WAF can instantly be swapped to the production WAF, Dual WAF makes it easy to coordinate integration and delivery of software

For a deeper discussion of how Dual WAFs help enable a better CI/CD process, see our Dual WAF white paper.1

Seamless automation for 100% predictability and optimization

An effective CI/CD pipeline depends on a test-ready platform that only a Dual WAF configuration can provide. Previous-generation WAFs forced developers to choose between either disrupting service to test patches on live traffic data or running patches on less-reliable canned traffic data. Both choices interfere with ongoing operations and lead to significant undertesting for crucial updates.

Dual WAF makes it easy for teams to run as many tests as necessary. The audit WAF can quickly be accessed for security and performance testing, allowing seamless automation across the development pipeline. Just as important, the results of all tests map exactly to live traffic results. Live traffic leads to better optimization, because Dual WAF can be configured against actual conditions, not simulated patterns. Testing teams can therefore demonstrate 100% predictability for patch implementation, making it easy for teams to make correct decisions.

Measure twice, patch once

For many companies, what’s measured is what matters, which is why it’s critical to track the right metrics. Single WAF configurations put patch teams on shaky ground, because the information depicted through their dashboard is either outdated or unrelated. Relying on such inaccurate data can lead to poor prioritization and unexpected errors.

Dual WAF’s comprehensive dashboard gives developers the information they need in a clear and responsive format. By comparing results in a modified audit WAF against the current production WAF, teams can immediately assess the patch’s security and traffic impact.  Any necessary adjustments can be made and evaluated before the patch goes live.

  • Dual Web Application Firewall

Coordinating integration and delivery

Due to the inflexibility of older WAFs, they were often left out of the traditional development life cycle—treated instead like a brick wall to be built around a finalized product. That mindset erodes the effectiveness of WAF’s frontline defensive capabilities and can lead to more legitimate access requests being rejected as false positives. For a WAF to function best as a shield against malicious traffic, it needs to be part of the integration and delivery cycle.

For older WAFs, this is clearly an impossibility; companies simply can’t allow their web presence to be jeopardized by making WAFs subject to the extreme volatility of the coding process. An audit WAF removes that risk, giving developers a new tool to coordinate integration and delivery. By building WAF testing into the pipeline, developer teams can coordinate their efforts, ensuring security and accountability at every level.

Conclusion

By leaving WAFs outside the development pipeline, too many companies neglect their most powerful defense against malicious traffic. Not without reason, though; until recently, WAFs weren’t sufficiently flexible or accessible to factor into the development loop. Updates and modifications required either using stale data or disrupting service.

With Verizon’s Dual WAF, developers can now test updates on live traffic data in an audit WAF with zero disruption, compare key metrics with production WAF traffic and instantly bring successful patches live without delays. Each of those advances is essential in enabling WAF implementation throughout the CI/CD development process.

Dual WAF gives developers access to vital metrics at every stage of development and the ability to implement immediate updates without risking service disruptions. Effective CI/CD relies on the comprehensive security integration that only Dual WAF can provide.

Learn more:

To learn more about how Dual WAF can benefit a CI/CD system, check out Verizon’s new white paper, “Integrating Dual WAF with CI/CD Process for Better Security.”1