Dmitry Evteev of Positive Technologies recently posted about a method to bypass web application firewalls (like mod-security) to mount SQL injection attacks.
While web application firewalls (or WAFs) play an important role in a defense-in-depth strategy, the post highlights why businesses cannot rely solely on preventative technologies like WAFs to secure their websites from attacks, particularly web-based malware attacks.
For one, as the article and the comments demonstrate, WAFs require configuration and ongoing maintenance of software and rulesets to prevent the latest attacks. If the WAF is running out-of-date software or rulesets, or if the administrator has improperly configured the device, it will not be able to prevent attacks like the one detailed in Dmitry's post.
Second, there will always be new types of attacks and new vulnerabilities that attackers can exploit to inject malicious code onto websites. WAFs can enforce security policies based on signatures of known attacks, but they cannot necessarily prevent "zero-day" attacks that look like normal traffic.
Finally, not all malware attacks exploit web application vulnerabilities to place malware on websites. For example, the Gumblar attack from earlier this year relied on compromised FTP credentials to infect sites. Recent malvertising attacks have taken advantage of syndicated ad networks to display malicious ads on legitimate publisher sites. A recent study by Google discovered that "the [malicious] code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets... Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded from third-party sites."
Security professional tend to invest heavily in "preventative" solutions, but underinvest in technologies to detect and remediate problems when they (inevitably) occur. WAFs can help "raise the bar," making it more difficult for attackers to infect a legitimate website. However, given that attackers can circumvent preventative technologies like WAFs, businesses cannot rely on WAFs alone to secure themselves from malware attacks. To provide true defense-in-depth, WAFs must be complemented by services like Dasient Web Anti-Malware (WAM) that automatically monitor websites for infections and remediate them when they occur.