This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Project Information:template Best Practices: Use of Web Application Firewalls"

Jump to: navigation, search
Line 4: Line 4:
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Best Practices: Use of Web Application Firewalls'''<br>Web application vulnerability scanner / security auditor
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Best Practices: Use of Web Application Firewalls'''
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  

Revision as of 18:12, 13 January 2009

Project Name OWASP Best Practices: Use of Web Application Firewalls
Short Project Description

Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF.

The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF. Special attention has been paid - wherever possible - to the display of work estimates - including in comparison to possible alternatives such as modifications to the source code.

In addition to the importance of the web application regarding turnover or image - the term access to a web application used in this document can be a good criterion in the decision-making process relating to the use of WAFs. Specifically, the access to a web application, measures the extent to which the required changes to the application source code are actually carried out in-house, on time,or can be carried out by third parties. As illustrated by the graph below, a web application to which there is no access, can only be protected sensibly by a WAF (additional benefit of the WAF),.Even with an application in full access, a WAF can be used as a central service point for various services such as secure session management, which can be implemented for all applications equally, and as a suitable means for proactive safety measures such as URL encryption

Key Project Information Project Leader
Nicolas Surribas
Project Contibutors
Alberto Pastor Nieto
David del Pozo González
Mailing List
Subscribe here
Use here
GNU Lesser General Public License
Project Type
if any, add link
Release Status Main Links Related Projects
Provisory Apha Quality
(under review)
Please see here for complete information.

OWASP Wapiti Project
Project's Sourceforge Repository

ICT Romulus Project