How WAF-as-a-Service Addresses Critical Customer Vulnerabilities

For MSPs that want to extend their security footprint within their client base, providing web application firewall (WAF) services offers a way to increase revenues while reducing data breaches for customers.

Just how big is the web application security problem? According to WhiteHat Security’s 2017 Application Security Statistics Report, 75 percent of cyberattacks are aimed at applications, while just 25 percent attack the network perimeter. Spending on security, however, is almost the inverse of that. According to the report, 90 percent of security investment is at the network edge, while just 10 percent of those investments go toward application security.

The WhiteHat study also pointed to other data that further outline these vulnerabilities:

• 30 percent of total breaches reported involved attacks on web applications
• 77 percent of web app attacks were carried out by botnets
• 32 percent of attacks exploited SQL injection errors

According to WhiteHat: “Application vulnerabilities continue to be a significant problem; however, there has been marginal improvement across the board. In 2015, web applications analyzed had an average of four vulnerabilities. That number dropped to three vulnerabilities in 2016. While this represents a 25 percent improvement year-over-year, most applications have three or more vulnerabilities, with almost half of them being ‘critical.’ These errors could result in data loss, theft, or denial-of-service attacks if not properly remediated.”

Additionally, various studies show that a website is hit by a critical exploit nearly every half hour, and WhiteHat says there are 51 vulnerabilities per website on average. The 2017 Verizon Data Breach report indicates that 44 percent of attacks come through vulnerable apps. The average web application attack costs $15 million and takes 46 days to resolve.

Why WAF-as-a-Service Is a Perfect Fit for SMBs

Traditional application security solutions are often too complicated and expensive for smaller businesses to implement, often don’t have enough controls, and may not work for apps deployed on the cloud. These companies need help.

WAF-as-a-Service offerings help MSPs address their customers’ web app security, so they reduce risk while also allowing MSPs to grow their businesses and build stronger client relationships.

Outsourcing web application security is going to be increasingly attractive to smaller businesses, particularly as application threats expand in number and complexity. The Open Web Application Security Project’s (OWASP) most recent list of the top 10 threats includes issues like injection flaws, broken authentication, sensitive data exposure, XML external entities, broken access control, and other vulnerabilities that are relatively easy for attackers to detect and exploit.

A WAF-as-a-Service solution can protect those apps while also simplifying setup, management and reporting for the MSP. The solution can also protect against risks identified by OWASP, including DDoS, zero-day exploits and brute-force attacks.

Scanning for vulnerabilities is not only a vital piece of this type of service, but it can also help initiate the conversation about these types of security threats with customers. For example, Barracuda MSP’s WAF-as-a-Service offering includes Barracuda Vulnerability Remediation Service, which scans customer apps on a pre-set schedule. Any vulnerabilities are identified and imported into the WAF to implement remediations automatically.

For customers who aren’t aware of just how big a risk their web apps pose, MSPs can offer to scan their websites and applications using the Barracuda Vulnerability Manager to identify any existing problems. The solution is free, doesn’t require a WAF license and takes just a few minutes to set up.

By sharing scan results with customers, MSPs can illustrate each customer’s needs and talk about the importance of adding a WAF, as well as regular scanning and remediation services.

Many small and midsize (SMB) companies aren’t aware of just how vulnerable they are to an attack via their web applications. Offering a WAF-as-a-Service solution allows MSPs to provide ongoing protection with minimal cost and complexity. It can also complement other managed security offerings with a product that is easy to price and bill.

Poorly designed and unsecured web applications can provide a backdoor for attackers into your customers’ critical business systems. WAF-as-a-Service gives MSPs a way to quickly and easily identify and address threats, as well as adding a new source of recurring revenue.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.

This guest blog is part of a Channel Futures sponsorship.