PoC For The Cloud WAF (Web Application Firewall)?
What is PoC?
PoC refers to Proof of Concept (or PoC) and is used in almost all industries as a way for potential customers to test out products before taking the leap and making a big purchase, much like test driving a car.
For companies interested in cloud web application security, doing a PoC is one way to know whether a certain WAF is a good fit for them. A PoC allows a potential customer to test and evaluate the security product’s capabilities prior to purchasing and is an important step in the selection phase.
Ultimately, a WAF PoC is needed to demonstrate the functionality of the WAF and provide potential future clients with enough information to determine whether it is a viable security solution. Furthermore, it brings a WAF in-house to ensure that it will work in your environment.
What can be tested at the POC stage and what are the benefits?
Because a WAF PoC is meant to be tested in your environment, you might be wondering what exactly you can test. The most obvious is performance.
During the PoC stage, potential clients can gain a deeper understanding of the WAF’s capabilities by seeing first hand how vulnerabilities and attacks are detected and blocked by the WAF solution and testing for false positive rates.
False positive rates are important for comparing performance among different WAF solutions. Besides web attack protection, clients can also test for virtual patching, HTTP protocol, and botnet detection.
Additionally, depending on the WAF PoC, clients should be able to test for policy customization. For example, clients can blacklist or whitelist countries and limit access to certain URLs depending on the IP address. Finally, clients can also take a look at the reporting structure.
In all, the WAF PoC should demonstrate before and after situations where the web applications were being protected by the cloud WAF. While a WAF PoC can test for various components, what are the benefits of actually doing a PoC in the first place?
1) Decide on product fit;
First, a WAF PoC will determine if your environment is able to deploy a cloud WAF. For example, Cloudbric’s cloud WAF is able to install on-premises into multiple server environments, such as dedicated/bare metal, cloud, and VPS, so during a PoC, Cloudbric will make sure customers are able to meet the server requirements.
2) Estimate costs;
Depending on the deployment type, a PoC will help determine your maximum server throughput capabilities and predict the overall costs. If you’re conducting a PoC in an authentic testing environment, then you should be able to accurately predict the amount of traffic reaching your web applications.
3) Assess security performance;
When considering a competitor’s WAF, a PoC can help you decide to migrate or switch WAF providers by comparing the performance, false positive rates, etc. of the different WAF solutions. You can also check for OWASP Top 10 protection and PCI-DSS compliance.
4) Speed up the purchase approval process
In the most successful examples, a PoC that’s easily integrated and demonstrates immediate performance can speed up your team or your CEO’s approval for purchasing the WAF. This will allow your team to refocus time, resources, and budget on other strategic projects.
Who is typically involved in this process?
First, those seeking out a cloud WAF to meet certain business needs (compliance requirements like PCI-DSS) will likely be involved in the WAF PoC process. They must lay out their business requirements and work with their development team to ensure the compliance functionality into the WAF.
Depending on the size of your company, a dedicated security team, IT specialist, or general IT manager responsible for the WAF will also be involved in the PoC process.
Another team likely involved in the QA (quality assurance) team that can use certain automation tools to test whether the WAF is able to integrate seamlessly and will report on capability, debugging, and more.
I totally understand the purpose of the article, which I presume was to try to entice companies to run a PoC with Cloudbric, but I’m not sure if this is the best way to express that. As I mentioned above, it might be good to try to let them know that there are ways that they can find out whether a WAF is good.
A PoC plan should explicitly address how the proposed WAF will support business goals, define criteria for success, and a proposal for how to move forward if the PoC is successful.
It’s clear that those looking to purchase a cloud WAF benefit from requesting a PoC. In addition to evaluating performance and perhaps comparing different WAF solutions, there is a lot you can learn during this process.
For example, issues raised during the PoC stage may be a good sign of what to expect when you’ve fully deployed the cloud WAF service. During the PoC stage, you can also gauge the WAF vendor’s responsiveness and more.
If you’re interested in learning how PoC works for Cloudbric’s WAF or interested in a free PoC contact us today!