97% applications tested by Trust wave had one or more vulnerabilities.
With the rise of web threats, it’s essential for any web application to have a proper firewall in place to protect from attacks for non-disruptive online business operation.
Having vulnerable files, plugin, software or misconfiguration on your server can expose to security risk, which may have the financial and reputational loss.
Multiple online tools can help you to find the security vulnerabilities and malware for FREE. However, when it comes to fixing or protecting them, then you got to spend a little bit.
Well, you might have heard about “Mod Security” which is free Web Application Firewall (WAF) and you may consider using it with your web servers like Apache, Nginx, etc.
Mod Security can be good protection to websites, but that requires a significant level of configuration knowledge and continuous maintenance.
If you don’t want to own a maintenance & configuration headache then following Cloud-Based Security Provider (CBSP) will help you to protect from online web threats automatically.
Incapsula’s WAF is PCI-certified and protects from OWASP top 10 threats including SQL injection, XSS, Remote file inclusion, illegal resource access.
Incapsula by Imperva doesn’t just provide cloud WAF but also helps you in various following protection + CDN from 28 data centers worldwide.
- Bot protection
- Login protection
- Backdoor protection
- DDoS protection
Incapsula is having more than 5% markets share in Alex top 1 M.
CDN and few security protections you can have in the FREE account, however, to use WAF, you have to enroll in PRO plan. You can subscribe for 14 days free trial to see how it works.
CloudFlare is a big player in CDN with more than 80 market share and provides WAF with PRO plan. Cloud Flare WAF safeguards you from OWASP top 10 vulnerabilities and automatically protects from following types of attacks.
- SQL injection
- SPAM protection
- DDoS attacks
- Application specific vulnerabilities like WordPress, Joomla
You can enjoy CloudFlare Rule Set and OWASP Mod Security Core Rule Set WAF from Cloud Flare with their Pro plan.
CloudFlare Rule Set is based on common attacks found on their network on following popular applications.
Along with above rule set, they have “CloudFlare Special” which can help you with more than 80 attack types including some of the common ones as follows.
- Empty User-Agent
- Numbers Botnet
- SQLi probing
- Block Semalt crawler
- SVG XSS attempt
- Null cookie headers
- Prevent fake search engine (Google, Baidu, Yandex) bots from crawling
- Brute force attacks
SUCURI has two security services – Website Antivirus and Web Application Firewall.
If you are just looking for WAF protection, then you can start with Sucuri Firewall basic plan, which covers the following.
- XSS (Cross Site Scripting)
- RCE (Remote Code Execution)
- SQLi (SQL injection)
- Layer 7 DDoS protection
- Brute Force protection
- Intrusion Detection System
- Intrusion Prevention System
- HTTP Flood protection
- 2FA, Captcha and Password protection
SUCURI is supported on various platforms including WordPress, Joomla, Drupal, Magento, Microsoft .Net, OSCommerce, vBulletin, phpBB.
Wondering how much does it cost? Here is a quick guideline on WAF pricing.
|Cloud-Based Security Provider||Pricing (starting from in USD) per month|
It’s always wise to check the price on the official website as they might have an offer from time-to-time.
There are many other WAF providers like Site Lock, AKAMAI, F5, AWS but I found above three are easy to setup (just in few minutes), and the entire process is online compared to others.