Questions to Ask Your Application Security Provider

Questions to Ask Your Application Security Provider

There is a great deal to consider when evaluating application security providers. Understanding your goals will help. If your goal is vendor consolidation, then selecting those that offer multiple security capabilities over single products may make more sense. And if your goal is out-of-the-box functionality, then understanding the amount of manual intervention required for each product is important. Does security efficacy matter more than meeting compliance requirements? Are you concerned about the provider’s security expertise and reputation? Or are you looking for protection from a specific threat?

Understanding your objectives is important when evaluating security solutions. Here are two questions for you to ask when considering any application security providers.

How many types of web attacks do you detect and mitigate?

Web attacks are constantly evolving. Your business website is built using a wide variety of technologies – including web code, APIs, JavaScript services, cloud services, third-party technologies, and proprietary application code. This range of technologies presents a vast attack surface and is vulnerable to attention from dedicated adversaries. Make sure you understand how you might be attacked and look for the security solution that protects from the biggest variety of attacks.

Does a Web Application Firewall (WAF) protect from all attacks on a website? Is that all I need to start to meet compliance requirements?

The answer is no. The WAF is a foundational security product that helps protect from OWASP Top 10 attacks. But there are many more attacks that the WAF was not built to protect. Preventing DDoS attacks, API attacks, bot attacks, and client-side attacks all require different solutions. Nonetheless, it’s true that a WAF helps businesses meet compliance requirements.

Imperva Cloud Security Application platform includes a WAF and helps meet many compliance requirements, but also includes so much more, including API Security, Bot Protection, Client-side Protection, DDoS Protection, and DNS Protection.

There are many more questions you could ask when considering application security providers, of course. For a comprehensive list of questions and answers, download a copy of 14 Questions to Ask Your Application Security Vendor.