Yong Zhou
Security Solutions Architect

Assess Cloud-based Web Application Firewalls with Breach and Attack Simulation

June 10, 2020 by Yong Zhou

Securing your web applications is a necessity. As the 2020 Verizon DBIR reports, web application attacks remain the top action vector leading to data breaches. However, in a 2018 Mozilla survey of the top 1 million websites, a staggering 90+% of these sites earned an ‘F’ for failure to implement basic measures to protect from common attack methods. Companies continue to drag their feet to adopt and deploy application security measures, and it comes with damaging ramifications.

Historically, a web application firewall (WAF) is deployed to inspect incoming application traffic for potential threats and malicious activity. Typically, the WAF was an appliance in the data center, but as companies continue to transition to the cloud and customers demand more agility, enterprises are looking more and more to cloud WAF offerings that have the ability to identify and mitigate malicious traffic. A cloud WAF is less complex to deploy and will integrate with your existing security solutions. In fact, if you’re using Amazon Web Services (AWS), Azure, or Akamai KONA, you have access to a WAF solution today that is managed by your provider and will scale to your needs. Perfect, right?

Now, let’s talk about auditing that WAF to be sure it’s effective against attack, while keeping your application performing. I used Keysight Threat Simulator to safely and continuously validate and assess the effectiveness of  cloud-based WAF services with:

  • Quick and easy to deploy light-weight agents on the cloud or on the premises
  • Comprehensive web application security audits following OWASP Web Top 10 risk assessment
  • Automated assessment runs with clear to follow remediations for WAF rules tuning


Here is a recent video that showcases the deployment of AWS WAF services and Threat Simulator agents using a CloudFormation template; and a quick assessment of the basic Web ACL rule sets managed by AWS.

In this second video, I go through the process of tuning the AWS WAF Web ACL with custom rule sets based on the earlier Threat Simulator WAF assessment results, along with recommendations to further improve the effectiveness of AWS WAF services against the web application attacks.

Security is never static. Simply deploying a WAF will not make your web applications secure. Continuously assessing and tuning the WAF Web ACL rules with a solution like Treat Simulator is the only way to keep and improve the effectiveness of your web application security. Give Threat Simulator a (free) try today.