Half of organizations use web application firewalls to hide flaws

The ongoing struggle to update vulnerable software by finding and applying the right patches in a timely manner has led half of corporate IT departments to use web application firewalls (WAFs) either instead of patching or to offer some protection before the patch can be made.

This comes from a new Dark Reading report, “How Companies Are Securing the Application Environment.” The survey asked 136 IT, cybersecurity, and app development professionals from organizations across more than 20 verticals about their app development practices.

The difficulty of finding and applying security patches is well known. In a recent series of ransomware reports, cyber risk management firm Black Kite noted that patch management was a persistent weakness in industries as diverse as pharmaceuticals and automotive manufacturing. While safe and reliable automation is being developed, IT departments often have to settle for risk-based management and risk-reducing workarounds.

When the Dark Reading survey asked respondents in 2022 how they used WAFs to reduce risk to their web applications, 14% admitted to using WAFs instead of patching vulnerabilities, and 36% said they used WAFs as protection temporary before moving on to correction. Still, that’s an improvement from 2021, when the numbers were 19% and 23%.

The way companies use WAFs has changed more than the number of companies using the tool. The percentage of respondents who report using WAFs as part of layered defenses rather than some sort of temporary fix fell from 30% in 2021 to 24% in 2022. However, the overall percentage of those using WAFs remained about the same: -74% in 2022 vs. 72% in 2021. It seems that despite the gaps in technology, WAFs continue to be useful ingredients in the cybersecurity pantry.

Keep up to date with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly straight to your inbox.


Comments are closed.