Loading...
PCI DSS Req 6.6 · OWASP Top 10 · BNM RMiT · ISO 27001
WAF-as-a-Service Malaysia
Hardware Web Application Firewall leased on a 36-month bundle. OWASP Top 10 protection, API positive-security model, bot management, and continuous rule tuning — all managed by nCrypt analysts.
Web Application Threat Landscape
Web applications are the most targeted attack surface for Malaysian e-commerce and financial services
The majority of consumer-facing breaches in Malaysia involve a web application vulnerability as the initial access vector. SQL injection, cross-site scripting, authentication bypass, and API parameter manipulation are consistently the top findings in application penetration tests. What makes web application attacks particularly dangerous is the combination of accessibility — any internet-connected attacker can probe a web application — and impact — a successful injection attack against a payment platform can exfiltrate card numbers at scale in minutes.
Three scenarios that a managed WAF directly mitigates for Malaysian buyers: (1) Magecart-style skimming — payment page injection where a script is inserted to capture card data as customers type. A WAF with content security policy enforcement and script-loading controls blocks the mechanism. (2) Credential stuffing — automated attempts to log in using credential lists from previous breaches. Bot management at the WAF layer detects and challenges these attempts based on request rate, TLS fingerprint, and behavioural patterns. (3) API abuse — undocumented API parameters exploited to bypass business logic, access other users' data, or trigger unintended server behaviour. The API positive-security model blocks any request that does not conform to the documented API specification.
For organisations under PDPA 2024, a web application breach that exposes personal data triggers mandatory notification obligations. The WAF is a first-line control that reduces the probability of that notification obligation arising. See our BNM RMiT compliance overview and the broader managed security leasing overview. For comprehensive application security, pair with Firewall-as-a-Service for network-layer perimeter control and NAC-as-a-Service for device-level access control.
Tuning Matters
An untuned WAF is worse than no WAF
The most common WAF failure mode is not bypass — it is misconfiguration. An organisation deploys a WAF in blocking mode without a proper tuning phase. On day one, the WAF blocks legitimate customer transactions (false positives). The business complains. IT puts the WAF in monitor-only mode to stop blocking legitimate traffic. The WAF runs in monitor-only mode indefinitely while IT focuses on other priorities. Three years later the WAF is still in monitor-only mode and blocking nothing.
The managed service model prevents this failure pattern. Monthly rule tuning by nCrypt analysts is included in every tier. New application features are tested against the WAF rule set before deployment. False-positive rules are tuned out through a documented change-management process. The WAF remains in blocking mode and the rule set remains current. When a new OWASP vulnerability class emerges — such as a new injection technique or a new API attack pattern — the rule update is deployed and tested within the managed tuning cadence.
For organisations that have previously tried to run their own WAF and abandoned active blocking due to false positives, the managed service approach — with a proper monitor-phase, phased blocking enablement, and ongoing tuning — typically achieves stable blocking mode within four to six weeks and maintains it indefinitely.
Frequently asked questions
How does WAF-as-a-Service satisfy PCI DSS Requirement 6.6?
PCI DSS Requirement 6.6 requires that public-facing web applications are protected from known attacks either by (a) reviewing application code using manual or automated vulnerability assessment tools at least annually and after changes, or (b) installing an automated technical solution that detects and prevents web-based attacks in front of public-facing web applications. A managed WAF deployed in blocking mode satisfies option (b). nCrypt provides a PCI DSS Req 6.6 attestation pack documenting the WAF deployment, the baseline rule configuration, the blocking-mode status, and the ongoing tuning process. This pack is presented to your QSA during the PCI DSS assessment.
What is the OWASP Top 10 and how does the WAF address it?
The OWASP Top 10 is the most widely referenced classification of web application security risks, maintained by the Open Web Application Security Project. The current edition covers: broken access control, cryptographic failures, injection (SQL, command, LDAP), insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery. A WAF with a properly tuned rule set addresses the injection, authentication, and SSRF categories directly through pattern matching and positive-security models. The other categories require application-level fixes but the WAF provides a meaningful reduction in exploitability while those fixes are implemented.
Will the WAF break our application during deployment?
The deployment methodology starts in monitor-only mode for the first one to two weeks. In this mode the WAF logs what it would block but does not actually block anything. nCrypt analysts review the monitor logs to identify any false-positive rules that would block legitimate application traffic, and those rules are tuned before switching to blocking mode. The phased approach means no application traffic is disrupted during the deployment. Post-deployment, any new application feature that triggers a false positive is handled through the change management process — the rule is tuned within the managed service SLA.
How does WAF-as-a-Service protect our APIs as well as our web applications?
Modern F5 Advanced WAF and Imperva Cloud WAF include an API positive-security model. You supply the OpenAPI (Swagger) specification for your APIs, and the WAF enforces that only documented API calls — with the correct parameters, data types, and authentication headers — are allowed. Undocumented endpoints, parameter manipulation, and injection into API calls are blocked at the WAF layer. For organisations with extensive APIs — fintech platforms, e-commerce checkout flows, healthcare patient portals — this API protection layer is often more valuable than the traditional web application rules.
What bot management does the bundle include?
Bot management is included at all tiers. Standard bot management distinguishes between known good bots (search engine crawlers, uptime monitors), known bad bots (scrapers, vulnerability scanners, credential-stuffing tools), and unknown bots. Known bad bots are blocked; unknown bots receive JavaScript challenges to distinguish automated from human traffic. Premium bot management — available on Mid-Market and Enterprise tiers — includes advanced fingerprinting, TLS fingerprinting (JA3/JA3S), and behavioural analysis that catches sophisticated bots that pass standard JavaScript challenges.
Our web applications use a CDN (Cloudflare/Akamai). Does the WAF still add value?
Yes. CDN-level WAF (Cloudflare WAF, Akamai WAF) provides protection at the edge but operates at the CDN vendor's rule granularity and tuning cadence. An on-prem or virtual WAF behind the CDN provides a second inspection layer with application-specific rule tuning, API positive-security models for internal APIs not exposed through the CDN, and protection for non-CDN-fronted systems (admin portals, internal APIs, staging environments). Many organisations run CDN WAF for global edge protection and on-prem WAF for application-specific precision. We design the layer architecture during the discovery phase.
Hardware-as-a-Service · 36-month bundle
Hardware web application firewall, fully tuned. From RM2,500/month.
F5, Imperva, or Barracuda WAF appliance — PCI DSS Req 6.6 compliance, OWASP Top 10 protection, and continuous rule tuning by nCrypt analysts.
What's included in the bundle
WAF appliance (physical or virtual)
Initial rule baseline + OWASP Top 10 coverage
Monthly custom rule tuning
Bot management and DDoS L7 protection
PCI DSS Req 6.6 attestation pack
Hardware refresh at month 30
Who this is for
- ✓E-commerce processing credit cards (PCI DSS Req 6.6)
- ✓Fintech APIs exposed to the public internet
- ✓Healthcare patient portals
- ✓Government citizen-facing portals
Deployment timeline
Week 1
Application discovery, traffic shadowing in monitor-only mode
Week 2-3
Rule baseline, custom policy, gradual blocking enablement
Ongoing
Monthly rule tuning, weekly bot-pattern updates, quarterly reviews
Sample bundles by company size
SMB
RM 2,500 – 4,000 / month
Single virtual WAF, 1-2 web apps, e-commerce SME
MidMarket
RM 4,000 – 9,000 / month
HA pair, 5-10 apps, fintech API gateway
Enterprise
RM 9,000 – 25,000+ / month
Multi-DC, 20+ apps, custom rules, bot management premium
Aligned to your regulatory obligations
PCI DSS Req 6.6ISO 27001BNM RMiT
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a WAF leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size WAF for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.