{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T17:27:30Z","timestamp":1754155650901,"version":"3.41.2"},"reference-count":24,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2013,10,7]],"date-time":"2013-10-07T00:00:00Z","timestamp":1381104000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,10,7]]},"abstract":"Purpose<\/jats:title>\u2013 The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>\u2013 Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.<\/jats:p><\/jats:sec>Findings<\/jats:title>\u2013 The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>\u2013 The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>\u2013 The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>\u2013 WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.<\/jats:p><\/jats:sec>","DOI":"10.1108\/imcs-11-2012-0064","type":"journal-article","created":{"date-parts":[[2013,10,18]],"date-time":"2013-10-18T09:01:48Z","timestamp":1382086908000},"page":"250-265","source":"Crossref","is-referenced-by-count":8,"title":["Estimates on the effectiveness of web application firewalls against targeted attacks"],"prefix":"10.1108","volume":"21","author":[{"given":"Hannes","family":"Holm","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022031319594212300_b1","doi-asserted-by":"crossref","unstructured":"Axelsson, S. (2000), \u201cThe base-rate fallacy and the difficulty of intrusion detection\u201d, ACM Transactions on Information and System Security, Vol. 3, pp. 186-205.","DOI":"10.1145\/357830.357849"},{"key":"key2022031319594212300_b2","doi-asserted-by":"crossref","unstructured":"Cavusgil, S.T. and Elvey-Kirk, L.A. (1998), \u201cMail survey response behavior: a conceptualization of motivating factors and an empirical study\u201d, European Journal of Marketing, Vol. 32, pp. 1165-1192.","DOI":"10.1108\/03090569810243776"},{"key":"key2022031319594212300_b3","doi-asserted-by":"crossref","unstructured":"Clemen, R.T. and Winkler, R.L. (1999), \u201cCombining probability distributions from experts in risk analysis\u201d, Risk Analysis, Vol. 19, pp. 187-204.","DOI":"10.1111\/j.1539-6924.1999.tb00399.x"},{"key":"key2022031319594212300_b5","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. (1991), Experts in Uncertainty: Opinion and Subjective Probability in Science, Oxford University Press, Oxford.","DOI":"10.1093\/oso\/9780195064650.001.0001"},{"key":"key2022031319594212300_b4","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. (2008), \u201cTU Delft expert judgment data base\u201d, Reliability Engineering & System Safety, Vol. 93, pp. 657-674.","DOI":"10.1016\/j.ress.2007.03.005"},{"key":"key2022031319594212300_b6","doi-asserted-by":"crossref","unstructured":"Cronbach, L.J. (1951), \u201cCoefficient alpha and the internal structure of tests\u201d, Psychometrika, Vol. 16, pp. 297-334.","DOI":"10.1007\/BF02310555"},{"key":"key2022031319594212300_b7","doi-asserted-by":"crossref","unstructured":"Cronbach, L.J. and Shavelson, R.J. (2004), \u201cMy current thoughts on coefficient alpha and successor procedures\u201d, Educational and Psychological Measurement, Vol. 64, pp. 391-418.","DOI":"10.1177\/0013164404266386"},{"key":"key2022031319594212300_b8","doi-asserted-by":"crossref","unstructured":"De Win, B. , Scandariato, R. , Buyens, K. , Gr\u00e9goire, J. and Joosen, W. (2009), \u201cOn the secure software development process: CLASP, SDL and Touchpoints compared\u201d, Information and Software Technology, Vol. 51, pp. 1152-1171.","DOI":"10.1016\/j.infsof.2008.01.010"},{"key":"key2022031319594212300_b9","doi-asserted-by":"crossref","unstructured":"Elia, I.A. , Fonseca, J. and Vieira, M. (2010), \u201cComparing SQL injection detection tools using attack injection: an experimental study\u201d, 21st International Symposium on Software Reliability Engineering (ISSRE), IEEE, New York, NY, pp. 289-298.","DOI":"10.1109\/ISSRE.2010.32"},{"key":"key2022031319594212300_b10","unstructured":"Elsevier (2012), Scopus, available at: www.scopus.com\/."},{"key":"key2022031319594212300_b11","doi-asserted-by":"crossref","unstructured":"Garthwaite, P.H. , Kadane, J.B. and O'Hagan, A. (2005), \u201cStatistical methods for eliciting probability distributions\u201d, Journal of the American Statistical Association, Vol. 100, pp. 680-701.","DOI":"10.1198\/016214505000000105"},{"key":"key2022031319594212300_b12","doi-asserted-by":"crossref","unstructured":"Holm, H. and Ekstedt, M. (2012), \u201cA metamodel for web application injection attacks and countermeasures\u201d, Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation, Springer, New York, NY, pp. 198-217.","DOI":"10.1007\/978-3-642-34163-2_12"},{"key":"key2022031319594212300_b13","doi-asserted-by":"crossref","unstructured":"Holm, H. , Ekstedt, M. and Sommestad, T. (2013), \u201cEffort estimates on web application vulnerability discovery\u201d, 46th Hawaii International Conference on System Sciences, IEEE, New York, NY, pp. 5029-5038.","DOI":"10.1109\/HICSS.2013.190"},{"key":"key2022031319594212300_b14","unstructured":"Holm, H. , Sommestad, T. , Franke, U. and Ekstedt, M. (2012), \u201cSuccess rate of remote code execution attacks-expert assessments and observations\u201d, Journal of Universal Computer Science, Vol. 18, pp. 732-749."},{"key":"key2022031319594212300_b15","doi-asserted-by":"crossref","unstructured":"Jones, R.L. and Rastogi, A. (2004), \u201cSecure coding: building security into the software development life cycle\u201d, Information Systems Security, Vol. 13, pp. 29-39.","DOI":"10.1201\/1086\/44797.13.5.20041101\/84907.5"},{"key":"key2022031319594212300_b16","unstructured":"Martin, B. , Brown, M. , Paller, A. , Kirby, D. and Christey, S. (2011), 2011 CWE\/SANS Top 25 Most Dangerous Software Errors, The MITRE Corporation, Bedford, MA."},{"key":"key2022031319594212300_b17","unstructured":"Montgomery, D.C. (2008), Design and Analysis of Experiments, Wiley, New York, NY."},{"key":"key2022031319594212300_b18","unstructured":"OWASP (2010), 2010 OWASP Top 10."},{"key":"key2022031319594212300_b19","doi-asserted-by":"crossref","unstructured":"Ozment, A. (2007), \u201cImproving vulnerability discovery models\u201d, Proceedings of the 2007 ACM Workshop on Quality of Protection, ACM, New York, NY, pp. 6-11.","DOI":"10.1145\/1314257.1314261"},{"key":"key2022031319594212300_b20","doi-asserted-by":"crossref","unstructured":"Scarfone, K. and Mell, P. (2007), Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication, Gaithersburg.","DOI":"10.6028\/NIST.SP.800-94"},{"key":"key2022031319594212300_b21","doi-asserted-by":"crossref","unstructured":"Scholte, T. , Balzarotti, D. , Robertson, W. and Kirda, E. (2012), \u201cAn empirical analysis of input validation mechanisms in web applications and languages\u201d, The 27th Symposium on Applied Computing, pp. 202-209.","DOI":"10.1145\/2245276.2232004"},{"key":"key2022031319594212300_b22","doi-asserted-by":"crossref","unstructured":"Sommestad, T. , Holm, H. and Ekstedt, M. (2012), \u201cEffort estimates for vulnerability discovery projects\u201d, 45th Hawaii International Conference on System Sciences, IEEE, New York, NY, pp. 5564-5573.","DOI":"10.1109\/HICSS.2012.238"},{"key":"key2022031319594212300_b23","unstructured":"Suto, L. (2011), Analyzing the Effectiveness of Web Application Firewalls, IMPERVA, Redwood Shores CA."},{"key":"key2022031319594212300_b24","doi-asserted-by":"crossref","unstructured":"Weiss, D.J. and Shanteau, J. (2003), \u201cEmpirical assessment of expertise\u201d, Human Factors: The Journal of the Human Factors and Ergonomics Society, Vol. 45, p. -.","DOI":"10.1518\/hfes.45.1.104.27233"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-11-2012-0064","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2012-0064\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2012-0064\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:50Z","timestamp":1753393850000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/4\/250-265\/185530"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,10,7]]},"references-count":24,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2013,10,7]]}},"alternative-id":["10.1108\/IMCS-11-2012-0064"],"URL":"https:\/\/doi.org\/10.1108\/imcs-11-2012-0064","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,10,7]]}}}