Skip to content

Commit

Permalink
Merge pull request #929 from alphagov/review-waf-page
Browse files Browse the repository at this point in the history
Update WAF page
  • Loading branch information
louzoid-gds authored Jul 30, 2024
2 parents daf1762 + 3beb04e commit fd705a8
Showing 1 changed file with 10 additions and 20 deletions.
30 changes: 10 additions & 20 deletions source/standards/web-application-firewall.html.md.erb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Use a web application firewall (WAF)
last_reviewed_on: 2023-06-27
last_reviewed_on: 2024-07-24
review_in: 6 months
---

Expand All @@ -12,7 +12,7 @@ A [web application firewall (WAF)](https://owasp.org/www-community/Web_Applicati

Your continuous integration (CI) and continuous deployment (CD) pipelines should include security tests in their workflows to identify any common vulnerabilities in your code. Some common vulnerabilities like [Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) and [XML command injection attacks](https://wiki.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)) are still possible in your production environments due to human error.

Combining a WAF with CI and CD tools reduces the risk from those tools, and provide enhanced layered security coverage for your service.
Combining a WAF with CI and CD tools reduces the risk of these attacks being successful, and provides enhanced layered security coverage for your service.

You may also need to use a WAF because of:

Expand All @@ -26,7 +26,7 @@ You may also need to use a WAF because of:

Set up a baseline of tests in your project’s alpha phase to identify any security vulnerabilities. As your service’s features grow, extend your tests to cover new vulnerabilities you identify. For example, through exercises like [application threat modelling](/standards/threat-modelling.html)

[Good development practices](/) should detect and fix common vulnerabilities before they reach production environments. Use your WAF to track digital services vulnerabilities an attacker could exploit.
[Good development practices](https://www.ncsc.gov.uk/collection/developers-collection) should detect and fix common vulnerabilities before they reach production environments. Use your WAF to track digital service vulnerabilities an attacker could exploit.

You should:

Expand Down Expand Up @@ -63,11 +63,11 @@ When WAF alerts are raised, make sure you already have an incident policy in pla

Review your WAF after each application change against the risks in the OWASP top 10 category rules.

This should be similar to how you use an [IT Health Check (ITHC)](https://www.itgovernance.co.uk/it-health-check) to test and confirm the effectiveness of security controls in your environment.
This should be similar to how you use an [IT Health Check (ITHC)](/standards/how-to-do-penetration-tests.html) to test and confirm the effectiveness of security controls in your environment.

## Case study GOV.UK PaaS

A [GOV.UK PaaS](https://www.cloud.service.gov.uk/) tenant uses a pattern with [Amazon Web Services (AWS) WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) before forwarding traffic to their apps with enabled shield advance for extra protection.
A [GOV.UK PaaS](https://www.cloud.service.gov.uk/) tenant uses a pattern with [Amazon Web Services (AWS) WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) before forwarding traffic to their apps with enabled [shield advance](/manuals/security-overview-for-websites.html#12-aws-shield-response-team) for extra protection.

For more information read the proposed architecture for [implementing a DDoS-resistant Website using AWS Services](https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-ddos-cross-service.html).

Expand All @@ -77,20 +77,10 @@ For more information read the proposed architecture for [implementing a DDoS-res

GOV.UK Pay operates under the governance of [PCI compliance and DSS point 6.6](https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf) which states the need for web application scanning.

## Contact GDS Information Security or COD Cyber Security
## Contact GDS Information Security or CO:D Cyber Security

Contact GDS [Information Security][] or the security architects in the COS Cyber Security team by email at [cyber.security@digital.cabinet-office.gov.uk](mailto:cyber.security@digital.cabinet-office.gov.uk) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice.
Contact GDS [Information Security][] or the security architects in the [CO:D Cyber Security team](https://sites.google.com/cabinetoffice.gov.uk/cybersecurity/about-the-team) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice.

## Further reading

To find out more about WAF refer to:

- [Open Web Application Security Project (OWASP)](https://owasp.org/) the OWASP Foundation
- [WASC OWASP Web Application Firewall](https://wiki.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project) Evaluation Criteria Project
- [National Cyber Security Centre (NCSC)](https://www.ncsc.gov.uk/) guidance

## References

- [Information Security]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security
- [Cyber Assessment Framework]: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf
- [Secure by Design Principles]: https://www.security.gov.uk/guidance/secure-by-design/
[Information Security]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security
[Cyber Assessment Framework]: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf
[Secure by Design Principles]: https://www.security.gov.uk/guidance/secure-by-design/

0 comments on commit fd705a8

Please sign in to comment.