Skip to main content
← All controls
SI-10 / A.8.22 / CIS-18.5 NIST SP 800-53 Rev 5

Web application firewall

Demonstrate that the organization has deployed and properly configured a web application firewall that actively inspects inbound traffic to web applications, blocks malicious requests, and maintains audit logs of security events.

Description

What this control does

A web application firewall (WAF) is a security appliance or cloud service that inspects HTTP/HTTPS traffic between clients and web applications, blocking malicious requests based on signatures, behavioral analysis, and policy rules. The WAF filters common attack patterns including SQL injection, cross-site scripting (XSS), remote file inclusion, and OWASP Top 10 vulnerabilities before they reach the application layer. WAFs operate in inline or proxy mode, providing virtual patching capabilities when application code cannot be immediately remediated.

Control objective

What auditing this proves

Demonstrate that the organization has deployed and properly configured a web application firewall that actively inspects inbound traffic to web applications, blocks malicious requests, and maintains audit logs of security events.

Associated risks

Risks this control addresses

  • SQL injection attacks that extract, modify, or delete sensitive database records through unvalidated user input
  • Cross-site scripting (XSS) attacks that inject malicious scripts into web pages viewed by other users, leading to session hijacking or credential theft
  • Remote file inclusion and command injection attacks that execute arbitrary code on the web server
  • Distributed denial-of-service (DDoS) attacks that overwhelm application resources and cause service unavailability
  • Zero-day application vulnerabilities exploited before patches are available or applied
  • Bot-driven credential stuffing, scraping, or automated abuse that degrades performance or compromises accounts
  • OWASP Top 10 exploits including broken authentication, sensitive data exposure, and XML external entity attacks

Live threat patterns this control mitigates:

HIGH ICS / OT Device Vulnerability Vulnerability disclosed in an industrial / building-control device. Implies the device may be reachable from the corporate network… HIGH OT / Industrial Control System Attack Attack targeting operational technology — pumps, controllers, processing equipment. Implies OT exposure to the internet, default credentials on… HIGH Website Defacement Campaign Ongoing pattern of website defacements where attackers replace site content to push a political or trophy message. Implies… HIGH Threat Actor Targets Public Website A named hacktivist group or hostile actor publicly claims attack against an organisation's website. Whether the attack succeeds…

Testing procedure

How an auditor verifies this control

  1. Obtain and review the architectural diagram showing WAF placement in the network topology and which web applications are protected.
  2. Export and review the WAF ruleset configuration, including enabled signatures, custom rules, OWASP Core Rule Set version, and policy enforcement mode (blocking vs. monitoring).
  3. Verify that the WAF is configured in blocking mode (not detect-only) for production applications by reviewing the global policy settings.
  4. Select a sample of three to five web applications and confirm each is explicitly associated with an active WAF policy or protection profile.
  5. Review WAF logs from the past 30 days and identify blocked requests, verifying that malicious traffic is being detected and prevented (e.g., SQL injection attempts, XSS payloads).
  6. Conduct or review results of a controlled penetration test or vulnerability scan that simulates common attacks (SQL injection, XSS) against a protected application to validate blocking behavior.
  7. Interview the security operations team to confirm alert thresholds, false positive tuning procedures, and incident response workflows for WAF-generated security events.
  8. Review change management records for the past quarter to verify WAF rule updates, signature patches, and policy modifications are documented and approved.
Evidence required Collect network diagrams showing WAF deployment architecture, exported WAF policy configurations including enabled rulesets and enforcement modes, screenshots of application-to-policy mappings, WAF event logs demonstrating blocked malicious requests over a 30-day period, penetration test or vulnerability assessment reports showing WAF effectiveness, and change management tickets for recent WAF rule updates or signature deployments.
Pass criteria The control passes if a WAF is deployed inline to all internet-facing web applications, configured in blocking mode with current OWASP Core Rule Set or vendor-equivalent signatures, and actively logging blocked malicious requests with evidence of operational monitoring and tuning.

Where this control is tested

Audit programs including this control

ICS / OT Device Vulnerability — Audit Program

Vulnerability disclosed in an industrial / building-control device. Implies the device may be reachable from the corporate network…

5 controls · v0.1.0