Product Managers Should Start Reading WAF Logs

Last year, I embarked on an odyssey that took me beyond the familiar confines of the United States, leading me through the diverse and rich tapestry of Europe. This journey, filled with new experiences and discoveries, also brought an unexpected revelation about the digital world we inhabit. As I traversed various European countries, I encountered an invisible barrier that significantly altered my online experience. This barrier, unlike any physical boundary, stemmed mostly, although not exclusively, from the stringent privacy regulations encapsulated in the General Data Protection Regulation (GDPR).

The GDPR, designed to protect personal data and privacy, has inadvertently erected a digital divide. As a product professional, I am acutely aware of the impact regulatory environments can have on the access and distribution of digital content. However, the extent of content inaccessibility in Europe was startling. Renowned news outlets and various content-rich sites that I had freely accessed in the US were suddenly beyond reach because their providers didn't want to pay the high cost to comply. It was as if a portion of the internet had been walled off, creating a scenario reminiscent of the 'Great Firewall of China.' Yet, there was a critical difference: the restrictions I faced in Europe were not the result of internal censorship but were imposed externally, by the regulations themselves. Interestingly enough, I have not found a single European based app or website that was blocked to me while in the US.

During my travels, including a stay in Poland, I encountered instances where digital services were inaccessible due to security measures, an oversimplified approach given Poland's burgeoning status as a technology hub. Additionally, corporate strategies such as McDonald's implementation of region-specific applications resulted in the incompatibility of US-based app in India, inadvertently leading to a loss of business. Furthermore, while visiting Curonian Spit National Park in Lithuania, the connectivity to cell towers in Kaliningrad, Russia, severely limited my access to various services, a situation that is totally understandable with the sanctions in place. Although these instances may seem like outliers, they highlight the tangible impact of certain security and business decisions on customer engagement and potential revenue.

Upon my return to the United States, expecting a smooth transition back into the familiar digital ecosystem, I was instead met with unexpected barriers to accessing websites and services, despite being in cities like Charlotte, NC, and Miami, FL. The unforeseen obstacle turned out to be my Spanish SIM card, which, while indispensable during my European travels, now acted as a gatekeeper, limiting my online access to everyday sites like Home Depot, Publix Supermarkets, and countless other sites and apps. These restrictions, manifesting as loading errors or outright blocks, imposed a sense of digital isolation. The only recourse was employing Virtual Private Networks (VPNs) such as Surf Shark, Nord VPN, or custom VPN endpoints, allowing me to connect through a US endpoint and circumvent these digital barriers. This workaround not only restored my access but also shed light on a significant oversight in the design and management of digital products and services, emphasizing the need for a more inclusive and adaptable approach to user experience.

This experience was eye-opening, revealing a critical aspect of digital product management that is frequently neglected: the crucial role of Web Application Firewalls (WAFs). WAFs go beyond mere security measures; they act as content gatekeepers, shape accessibility, and inadvertently craft the digital experiences for users from various regions. Importantly, misconfigured WAFs can lead to losing customers, as they may block or restrict access unnecessarily, directly impacting user engagement and retention. The situation I encountered underscores this point, serving as a vivid reminder that product managers must look past the surface level of user interface and functionality.

What is a WAF

A Web Application Firewall (WAF) is a specialized firewall designed to secure web applications by monitoring, filtering, and blocking potentially harmful HTTP/S traffic to and from a web application. Unlike traditional firewalls that protect a network's perimeter, WAFs operate at the application layer to scrutinize the content of each web request and response, employing a set of rules known as policies to determine whether to allow, challenge, or block specific traffic. These policies can be based on various criteria, including signatures of known attacks, anomalies in traffic patterns, or custom rules tailored to the specific application's needs. For a Product Manager, the most important thing to know is that users blocked by the WAF will not show up in your Google Analytics or other user analytics tools. So you'll never know the users tried to access your product at all.

While WAFs are indispensable tools in the cybersecurity landscape, they are also known for their complexity and the challenges associated with their configuration. Setting up a WAF requires a deep understanding of the application it protects, as well as the potential threats it faces. Misconfigurations can inadvertently block legitimate traffic or create vulnerabilities, leading to disrupted user experiences or exposing the application to new types of attacks. This delicate balancing act makes the initial setup and ongoing management of WAFs a task that requires precision and expertise.

WAFs are not "set it and forget it" solutions. The digital threat landscape is continuously evolving, with new vulnerabilities and attack vectors emerging regularly. Consequently, WAFs require constant updates and monitoring to ensure that they remain effective against the latest threats. This involves regularly reviewing and updating the rule sets to cover new vulnerabilities, monitoring traffic patterns for anomalies that could indicate new types of attacks, and enhancing the WAF's capabilities to keep pace with the evolving infrastructure and development practices of the web application it protects.

In essence, a WAF serves as a critical line of defense in the protection of web applications, but its effectiveness is contingent upon meticulous setup, regular updates, and continuous monitoring. The challenge lies not only in deploying a WAF but in ensuring its ongoing alignment with the application's security needs and the ever-changing cyber threat environment.

Alternatives to IP Based Geolocation

Web Application Firewalls (WAFs) often utilize IP-based geolocation as a primary method for identifying the geographic origin of incoming web traffic. This technique involves analyzing the IP address associated with each request to pinpoint its source location, allowing WAFs to implement region-specific security policies, such as blocking traffic from areas known for high cybercrime rates or enforcing compliance with regional data protection regulations.

IP-based geolocation works by mapping the IP address of a device connected to the internet to a geographical location, including country, region, city, and sometimes even postal codes and specific coordinates. This mapping relies on databases maintained by various organizations, which correlate ranges of IP addresses to physical locations. While this method provides a quick and straightforward way to estimate a user's location, its accuracy can vary significantly depending on the depth and freshness of the database used, and it can be easily circumvented using VPNs or proxy servers.

While IP-based geolocation is widely used, it has limitations in accuracy and can be bypassed, leading to the exploration of alternative methods for more precise or adaptable location determination:

HTML5 Geolocation API: Offers a more precise location by requesting the user's geographic position directly from the device, subject to user permission. This method harnesses GPS, Wi-Fi, cellular networks, and other sensor data to provide accurate latitude and longitude information, making it particularly useful for web applications requiring precise user location.

Mobile Location Services: In mobile applications, accessing the device's built-in location services enables a combination of GPS, Wi-Fi, and cellular network data to determine the user's location with higher accuracy than IP-based methods, especially in scenarios centered around mobile usage.

User-Provided Location Information: Some applications opt for the straightforward approach of asking users to manually input their location. While dependent on user accuracy and honesty, this method can suffice for applications where exact location data is less crucial.

GSM Cell ID: Utilizing the Cell ID from GSM towers offers a rough estimate of the user's location for devices on a cellular network. This method is generally less accurate than GPS but serves as a viable alternative in areas with limited GPS signal availability.

While exploring these alternatives, it's crucial to consider the security trade-offs. For instance, while the HTML5 Geolocation API and Mobile Location Services can provide more precise location data, they also raise privacy concerns and require explicit user consent. User-provided information, while simple, may not always be reliable. GSM Cell ID offers broader coverage but lacks the precision of other methods. Each alternative comes with its own set of challenges and benefits, necessitating a careful evaluation based on the specific needs and security posture of the application.

What PMs Need To Be Doing

In the realm of digital product management, the responsibility for ensuring an optimal user experience extends beyond the design and functionality of the application—it encompasses the security measures that protect it, notably the Web Application Firewall (WAF). Traditionally, the oversight of WAF logs and security protocols has been the domain of Chief Information Security Officers (CISOs) and DevSecOps teams. However, it's becoming increasingly crucial for Product Managers to engage actively with these aspects to understand and mitigate the impact of WAF configurations on customer experience and retention.

By delving into WAF logs, Product Managers can gain invaluable insights into how security measures might inadvertently affect user interactions with their products. These logs are treasure troves of data, detailing blocked transactions, flagged workflows, and potentially legitimate user activities that the WAF has prevented due to overly stringent or misconfigured rules. Such insights are pivotal in identifying friction points that may not be apparent through standard user feedback channels.

Armed with this information, Product Managers can collaborate more effectively with security teams to refine WAF policies, ensuring they strike the right balance between robust security and user accessibility. This collaborative approach can lead to the development of more nuanced WAF rules that accommodate legitimate user behaviors while still protecting against threats and limiting compliance exposure from frameworks like GDPR.

Conclusion

My journey from the diverse landscapes of Europe back to the familiar terrains of the United States, coupled with the unexpected digital hurdles I encountered, underscores a vital lesson for product managers everywhere. The role of Web Application Firewalls (WAFs) in shaping user experiences and access cannot be understated. Misconfigured WAFs are not just a minor inconvenience; they represent a significant barrier to customer access and engagement, potentially costing companies valuable business. The exact financial impact varies depending on the customer base and product offering, but for major consumer-facing brands, the cost is undeniably greater than zero.

The call to action is clear: Product managers must prioritize understanding and managing their WAFs to prevent unnecessary customer loss and financial impact. In an era where digital accessibility is paramount, ensuring that WAF configurations are optimized for both security and user experience is not just beneficial—it's essential for sustained business success.