Picking the Best Open-Source Web Application Firewall
The days of static web pages are long gone, and now, users expect seamless interaction on the frontend and, at the same time, communication via API and database calls to a myriad of servers and services on the backend. In the past, with static pages, security was an afterthought. Developers were more concerned with someone hacking their server than a web page. However, that's not the case anymore. Developing, deploying, and securing modern websites brings with it a complexity that, depending on the size of your website, could warrant employing entire teams to keep your website running and secure. In this article, you'll learn more about how you can secure a modern web application and how you can use open-source web application firewalls (WAFs) to achieve this goal.
What Is a WAF?
A WAF is a piece of software that monitors and analyzes all the traffic destined for your website. During this analysis, the WAF uses threat signatures and/or other detection methods to determine whether the connection to the website is harmless or malicious. Once the WAF has made a decision, it either forwards or drops the connection that was meant for your website.
WAFs used to be mostly hardware devices that (practically and literally) sat in front of your web server. All traffic would first go through the device for analysis before being forwarded. Modern WAFs are usually some sort of software. You get cloud-based WAFs, which are hosted services that work in the same principle as hardware WAFs: they monitor and analyze traffic meant for your web application and, depending on the analysis, make a choice whether to allow or block the connection to your website. You can also deploy a modern WAF as a local piece of software. This software is usually deployed as a part or as a dependency of your web application and is usually hosted in the same space as your website.
WAFs are a vital part of any website deployment, which is why this article will compare a few open-source WAFs with one another to help you decide which WAF is right for your next project.
Why an Open Source WAF?
An open-source WAF has a lot to offer, especially if you're a smaller company that can't necessarily afford the services of the bigger WAF providers, like Imperva WAF or F5 Nginx App Protect. Beyond the possible pricing benefits, an open-source project gives you the option of seeing the source code of an application for yourself if you are inclined to do so. Many developers also admire and share the vision that open-source software has for the world — a vision of openness and transparency that also promotes better higher-quality code.
How to Choose the Best WAF for Your Use Case?
While there are many different features to consider before deciding on a WAF, this article will focus on a few key areas in particular.
Open Source Principles
While many open-source applications claim to be open-source, you need to take a deeper look at what that means in terms of code quality. A well-maintained open-source project should try to have the following few points covered to be considered a project that is worth taking a look at:
Active development: You should look for a project that is being actively maintained, with regular code updates and feature enhancements being submitted. This is especially important in a security application context, where outdated software could be more vulnerable to newer malware methods. Using an outdated software application for your WAF component could lead to your web application being vulnerable to modern attacks.
Third-party code audits: Does the project you're considering implement third-party code audits? These audits are important, as they remove bias that the developers of the project might have toward their own software and, at the same time, allow for an unbiased auditing team to take a look at the code, looking for common mistakes in the code that could give a threat actor an advantage.
Adherence to free/libre and open source software (FLOSS) criteria: Does the project truly adhere to FLOSS principles in terms of making their software's source code freely available while also promoting access to that same code? For example, the L in FLOSS means libre, which is the French word for "Free." In the context of the project, does it give you the freedom to use the project as you see fit?
Community: A good open-source project usually has a growing community of developers that are actively engaged in contributing to a project, whether helping directly via code commits or just helping new users get up and running.
Advanced Security Features
While all WAFs should be able to handle threat detection and prevention based on signatures, modern web applications require going beyond the standard security features. You should compare the different WAFs with regard to what they are offering in terms of advanced security features.
Consider the following, for instance:
What kind of attacks are stopped by the WAF?
Does it cover the OWASP Top 10?
Does the WAF offer protection against bots?
Does it offer a preemptive detection/prevention solution that also blocks zero-day attacks?
These are all important questions you should be asking yourself before settling on a new WAF for your next (or current) project.
What Are Your Options?
Following are a few key players in the open-source WAF space:
ModSecurity was one of the first open-source WAFs that existed, with the first code being released over twenty years ago. It's gone through a lot of major versions over the years, and due to its open-source nature, many companies were able to implement ModSecurity for their web server applications.
With ModSecurity, you can deploy it whether your website is being served up by NGINX, Apache HTTP Server, or even Microsoft's IIS. However, the project has changed hands over the years, and the current maintainer, Trustwave SpiderLabs, has made the decision to stop supporting and maintaining the project after July 1, 2024. While the project will still be open-source, this can be an indication that it's no longer viable to work on a codebase that is this old and that SpiderLabs considers it better to move its resources elsewhere.
It's also unclear whether ModSecurity has ever had a third-party code audit. From a security perspective, ModSecurity is actually a core part of the OWASP Foundation's mission to improve web application security for everyone. They publish a Core Rule Set (CRS) for ModSecurity that is considered to be the first line of defense by many in the cybersecurity industry.
Other WAF providers, including cloud-based WAF providers, like Azure WAF and [Amazon Web Services (AWS) WAF], also offer this same CRS to be deployed on their own platforms. ModSecurity does offer some advanced features, like bot protection, but these features are usually provided by plugins. Moreover, these plugins are sometimes written by community members, so finding a good set of plugins to cover most of your security needs may take some time. While there have been some [academic papers] that explore the idea of using machine learning (ML) to improve detection methods, in ModSecurity no one seems to have developed something that can be used in practice.
Coraza is an open-source WAF written in Go that aims to be a drop-in replacement for ModSecurity. The project seems to be actively maintained and has an actively engaged community on GitHub via issues and pull requests. However, they don't mention anything about third-party code audits on their websites. And on the security front, Coraza is clearly aimed at being a drop-in replacement for ModSecurity, as they fully support and implement the OWASP CRS and support custom rules written in ModSecurity's SecLang language.
The project does seem to be early in its development phase, with many of the advanced security features, like bot and distributed denial-of-service (DDoS) protections, listed in their plugins roadmap and not currently available. There is also currently no mention of using advanced techniques, like ML, to improve detection or prevention techniques.
Shadow Daemon is an open-source WAF that seems to be aimed at a few specific programming languages and their respective web frameworks. For instance, popular frameworks, like Django and Mojolicious, are supported. The activity on their GitHub project page does seem rather muted compared to the other WAFs on this list, but there has been a release in the last six months (at the time of writing). No mention is made of a code audit at any time. From a security perspective, Shadow Daemon also seems to be doing things a bit differently. While there isn't any mention of the OWASP Top Ten or the CRS, they do claim to stop common attacks, like SQL injection and cross-site scripting (XSS).
However, Shadow Daemon seems to use a combination of blacklisting, whitelisting, and integrity-checking methods to detect and prevent attacks. It's hard to evaluate this method for accuracy without installing and using the application, but the authors do claim they have a low false-positive rate. No mention is made of advanced detection techniques, like bot detection or ML-aided detection.
open-appsec is an open-source WAF that has recently entered the market. Its project page on GitHub is seeing quite a bit of activity, and o is actively engaging with users via posted issues. It also recently concluded a third-party code audit that was facilitated by LEXFO, a cybersecurity company located in France, and the [full report is available to the public]. While the report may be hard to read for nontechnical people, the summary section of the report clearly states that there were six vulnerabilities found, ranging from medium to low risk, and that all six of those vulnerabilities have already been fixed. The report has given open-appsec an [overall security level of excellent] (https://www.openappsec.io/post/open-source-code-is-now-published-for-open-appsec-machine-learning-based-waf).
Looking at the security side of things, open-appsec offers a lot of exciting features that you don't see in other WAFs.
Their main security feature is an ML-powered detection engine that analyzes every request against two ML models:
The first model was trained offline, using millions of malicious and benign connection requests. This model quickly detects the most common attacks from the OWASP Top Ten categories and assigns a confidence level for that request based on the risk it might present to your application. Low-risk connections are passed on to your web application.
The second model is trained and built in real time, using contextual patterns from your web application to learn what a normal, safe connection request should look like. This learning will include the structure of your application and the way users normally interact with that structure. Once the model has been trained, requests that seem suspicious but couldn't be determined to be malicious by the first model get passed to the second model to be evaluated against the context of your application. It's this ML-powered engine that helps open-appsec achieve really accurate detection rates and a very low false-positive rate. This same engine is powerful enough to detect attacks for which there are no signatures yet, as was evidenced late in 2021 when a Log4j vulnerability was being actively exploited by a large number of attackers online. After many WAF vendors updated their signatures to detect the new attack, the attackers changed their methods to try and bypass the new detection methods. open-appsec's ML-powered detection was able to detect the new attacks preemptively.
Many other advanced security features, like bot detection and API security, are just part of openappsec's main feature set.
You've now been introduced to a few open-source WAFs, all with varying levels of active development and community engagement, as well as a diverse set of security features. Hopefully, this article will help you decide on the WAF you want to implement for your next web application project.