Web Application Firewalls versus Web Vulnerability Scanners

Web application firewall or web application security scanner? Which offers a better solution when faced with today's dynamic security environment?

Surprisingly, the answer is neither. Both options provide potential solutions that are independent of one another and yet capable of working cooperatively at the same time.

Time and time again, it has been demonstrated that there are no shortcuts when it comes to web application security. It only takes one individual with malintent and a single vulnerability to wreak havoc on an entire organization.

Instead of looking for an easy or one-size-fits-all security solution, consider the proper application of each tool. Firewalls, automated scanners and live penetration tester all have their place when it comes to implementing the most effective security posture possible.

In this post, we’re going to compare web application firewalls to web application vulnerability scanners. The objective is to help you to understand their proper application as well as how they can be used in conjunction with one another.


What is a Web Application Firewall?

There is often some confusion surrounding the use of WAFs and how they differ from a scanner. While there is certainly a technical description, sometimes it’s easiest to begin with an explanation as it relates to history.

In 1179, Henry II began reconstruction of Dover Castle and it’s surrounding defences using a concentric design — the first of it’s kind in Western Europe. Every castle is vulnerable to attack and to counter this risk, Henry had a series of outer walls constructed around the castle, designed to act as an initial line of defence. These walls were an effective way of controlling traffic both in and out of the castle. Could they be breached? Well, as Prince Louis of France discovered in 1216, yes, in fact, they could. But not easily and not without alerting the King who successfully implemented countermeasures and forced a French Retreat.

Web application firewalls work in a similar but modern way — surrounding a web application with a virtual wall that that inspects both inbound and outbound traffic. Protecting the application and looking for signs of a potential data breach that could include, SQL injection, XSS and session hijacking. For this reason, WAFs are often deployed as a preventative measure by the owners or administrators of web applications.

Web application firewalls are also effective when it comes to analyzing traffic patterns. If an unusual or suspicious pattern is detected, countermeasures can be put in place in real-time, effectively preventing a breach before it happens.

At the same time as WAFs seek to control traffic, they should also keep traffic flowing as efficiently as possible. This can be accomplished via caching, compression, load balancing and more. In this regard, not only do WAFs improve security, they also improve performance, making them an attractive “alternative”.

But web application firewalls should not be considered an alternative security measure. Yes, WAFs are extremely effective at performing their assigned task. However, hackers have proven to be equally effective in their attempts to circumvent WAFs, and in many cases, have been successful. In addition, the use of automated tools by hackers is now prevalent as they seek to expose vulnerabilities within web application firewalls.

What is a Web Vulnerability Scanner?

Also referred to as web application vulnerability scanners, these automated tools effectively communicate with and scan web applications in search of potential vulnerabilities. While web application firewalls actually protect vulnerabilities (including SQL, XSS, Administrator privileges, HTTP vs HTTPS, Brute Force and more), web application security scanners are different: They search for and identify vulnerabilities which gives the developer or end user an opportunity to close them. Web application security scanners offer a more permanent solution as long as the information is acted upon.

Let’s jump back to our historical example for a brief moment. In 1216 when Prince Louis of France breached the outer defences of Dover castle and eventually breached the gatehouse, a vulnerability was exposed. Perhaps Prince Louis would have made a great penetration tester — thanks to his hard work in breaching the north gate, the vulnerability was exposed and in subsequent years, patched and hardened.

Web application security scanners are the tool of choice for web application developers and penetration testers because instead of protecting a vulnerability from attack, they expose it. In doing so, they provide an opportunity to fix the code itself.

Should You Use a Web Application Firewall or Web Application Scanner?

When it comes to the discussion of web application firewalls and web application security scanners, we’re in a situation that is very similar to that of having to decide between automated web security scanning tools or human penetration testers. The answer is not as simple as you might think.

Like most things, the ideal answer lies in finding a balance and in using the right tool for the right reasons and in the right situations.

Web application firewalls are an effective and often indispensable tool in the fight against hackers. However, they should not be relied upon as the only solution for one specific reason: They fail to address resolving or patching the security vulnerability itself.

A web application firewall should act as the first line of defence, not the last. If you don’t use a scanner to expose potential vulnerabilities, you’re placing your entire security posture at risk. Inevitably, at some point in time, a web application firewall will have it’s own vulnerabilities exposed leaving your application unprotected.


Understanding the independent roles of each tool, make it clear why the should be used in conjunction with one another but never relied on as the solitary method of defence.