Here’s a crazy stat I heard the other day: analysts are projecting a “whitehat deficit” for next 25-30 years. What they mean is that the current shortage of available skilled security practitioners is here to stay. Applications could be at the mercy of malicious attackers from all around the globe for an entire generation. More than anything else, the deficit of available security professionals is what will drive more and more services into the cloud.
The primary defensive technology for application security is the Web Application Firewall (WAF). F5 has spent the last 10 years perfecting a full-proxy Web Application Firewall to protect against the famous OWASP Top 10 application vulnerabilities such as:
SQLi: SQL Injections
XSS: Cross-Site Scripting
CSRF: Cross-Site Request Forgery
CSOs know they need a WAF in front of their high-value assets (and not just because PCI says so). By and large they don’t mind investing in the technology. But in my experience the issue with deployment is always about staff.
"“I don’t have the staff I need to run the solutions I already have.” --every CSO I've ever talked to
So F5’s announcement that it is turning the world’s best WAF into a cloud service speaks to the generational security gulf that we’re entering. Enter the Silverline Web Application Firewall as-a-Service (WAFaaS).
With the Silverline WAFaaS CSOs can gain the benefits of having the world’s most sophisticated WAF protecting their high-value applications without having to find and retain the associated headcount.
Hopefully this makes as much sense to you, dear reader, as it does to me. The only question I had about the launch was this: is the application still open to the internet after we start fronting it with the WAFaaS. The answer is “not typically – WAFaaS uses the same GRE tunnels that our DoS protection service uses.” Once the WAF is in place the application is then configured only to accept traffic from F5’s data centers.
The world is looking at Security-as-a-Service to plug the skills gap. Expect to see more cloud-hosted solutions like Silverline rolling out for a long time to come.