
Most Saudi enterprise security conversations center on the network perimeter — the firewall, the IPS, the endpoint. What they undercount is the attack surface that sits above the network layer: web applications, APIs, customer portals, mobile backends, and SaaS integration endpoints that are publicly accessible, internet-facing, and increasingly the primary target for attackers who have learned that the network perimeter has gotten harder to breach directly.
Web application attacks work because the traffic they carry looks legitimate. An SQL injection payload arrives over HTTPS on port 443 — the same port your firewall is configured to allow. A Cross-Site Scripting (XSS) attack is delivered through a form field your developers built to accept user input. A broken access control vulnerability is exploited by a valid, authenticated user making a request the application was not designed to restrict. None of these attacks trigger a network-layer firewall rule, because none of them are network-layer threats. They are application-layer threats, and they require an application-layer control: the Web Application Firewall.
The Open Web Application Security Project (OWASP) maintains the industry's definitive ranking of web application security risks, updated based on real-world vulnerability data from hundreds of thousands of applications [1]. The current OWASP Top 10 — in its 2021 edition, which remains the operative reference — covers the risk categories that dominate web application breach patterns globally:
Broken Access Control — the top-ranked risk. Users accessing resources or performing actions beyond their authorization. Exploited through direct object reference manipulation, missing function-level access controls, and API endpoint enumeration.
Cryptographic Failures — sensitive data exposed due to inadequate encryption in transit or at rest, weak algorithms, or improper key management. Under PDPL, this category has direct regulatory implications in Saudi Arabia [2].
Injection — SQL injection, OS command injection, LDAP injection. Malicious code injected through input fields and executed by the application's backend systems. Despite decades of awareness, Claranet's 2024 penetration testing data found injection vulnerabilities present in a significant proportion of tested web applications [3].
Insecure Design — architectural weaknesses baked into applications at the design phase that no implementation-level control can fully remediate.
Security Misconfiguration — the most common vulnerability found in practice. Default credentials, verbose error messages, unnecessary features enabled, missing security headers, cloud service misconfiguration.
Vulnerable and Outdated Components — third-party libraries, frameworks, and dependencies with known CVEs that remain unpatched in production. Claranet's 2024 data found over 1,000 instances of outdated JavaScript libraries across tested applications in a single year [3].
Authentication and Identification Failures — credential stuffing, brute force, session management weaknesses, weak password policies.
Software and Data Integrity Failures — insecure deserialization, supply chain attacks, unverified software updates.
Security Logging and Monitoring Failures — insufficient logging that leaves attacks undetected and uninvestigated.
Server-Side Request Forgery (SSRF) — attacks that cause the server to make requests to unintended internal or external resources.
A WAF addresses the majority of these categories at the application layer — inspecting HTTP/HTTPS traffic in both directions, applying signature-based rules for known attack patterns, and enforcing positive security models that block traffic that does not conform to expected application behavior.
NCA's Essential Cybersecurity Controls (ECC) subdomain 2-4 addresses web application security and requires the protection of internet-facing web applications against cyber risks [4]. For organizations operating internet-facing applications — which now includes nearly every Saudi enterprise with a customer portal, payment gateway, HR self-service, or partner integration — this control is in scope.
NCA's Critical Systems Cybersecurity Controls (CSCC), which applies to organizations operating critical national infrastructure or critical systems, explicitly requires WAF protection for internet-facing critical system applications [5]. For Saudi banks, energy companies, healthcare organizations, government entities, and telecommunications operators, CSCC is in scope alongside ECC — and CSCC's web application protection requirements are more prescriptive than ECC's baseline.
SAMA's Cybersecurity Framework similarly addresses application security within its network and application security domain, requiring documented controls for internet-facing applications at Maturity Level 3 [6].
The practical consequence is that organizations approaching their next NCA ECC audit or SAMA assessment without a deployed and configured WAF will face a gap on web application protection controls — and that gap is increasingly difficult to explain in environments where internet-facing applications have multiplied over the past five years of digital transformation.
On-premises WAF (hardware or virtual appliance). Deployed in the data center or at the edge, inspecting traffic before it reaches application servers. Fortinet FortiWeb is the on-premises WAF platform ITBuilders deploys for Saudi enterprises — integrated with the broader Fortinet Security Fabric for correlated visibility between network-layer and application-layer events. FortiWeb's machine learning-based threat detection builds a positive security model for each protected application, reducing false positives compared to signature-only WAF approaches.
Cloud WAF / CDN-integrated WAF. Deployed in front of internet-facing applications at the CDN or cloud edge layer, without requiring on-premises infrastructure. Suitable for applications hosted on Azure, AWS, or third-party SaaS platforms. Microsoft Azure WAF (integrated with Azure Application Gateway or Azure Front Door) and Cloudflare WAF are the primary cloud WAF platforms ITBuilders configures for Saudi enterprises running cloud-hosted applications.
Managed WAF. The WAF is deployed and operated by ITBuilders — rules are tuned, false positives are investigated, new CVEs are applied, and the WAF event feed is connected to the managed SOC for correlated alerting. Managed WAF removes the operational burden of WAF management from the internal team while providing the compliance evidence and monitoring integration that NCA and SAMA auditors expect.
A WAF deployed in default mode — with standard OWASP ruleset enabled and learning mode active — provides basic protection and a compliance checkbox. It does not provide optimized protection for the specific applications behind it.
A tuned WAF has gone through a structured onboarding process: application traffic is profiled, a positive security model is built, false positive sources are identified and addressed, application-specific rules are written for unusual input patterns, and rate limiting policies are configured for the application's authentication and API endpoints.
The difference is material. An untuned WAF in blocking mode produces alert fatigue from false positives and frequently gets switched back to detection mode to stop operational disruption — which defeats its purpose. A tuned WAF in blocking mode is operationally transparent, blocks actual attacks, and produces a manageable alert volume that the SOC can act on.
NCA's updated ECC 2:2024 strengthens cybersecurity requirements at the national level [7]. The direction of travel is consistent: internet-facing application protection is receiving more regulatory attention, not less, as Saudi Arabia's digital economy grows and the web application attack surface expands with it. Organizations that establish WAF capability now are building ahead of increasingly prescriptive requirements; those that defer will face escalating gaps in successive audit cycles.
ITBuilders designs, deploys, and operates WAF environments for Saudi enterprises — on-premises with FortiWeb, cloud-native with Azure WAF or Cloudflare, or hybrid combinations based on application architecture. Our cybersecurity engineers understand the application security context that makes WAF effective — not just the appliance configuration, but the application profiling, rule tuning, false positive management, and SOC integration that make it operationally sustainable.
Our WAF engagements typically begin with an application inventory — identifying all internet-facing applications, APIs, and integration endpoints — followed by WAF deployment architecture design, phased onboarding with learning mode followed by tuned blocking mode, and optional integration with ITBuilders' managed SOC for 24/7 WAF event monitoring.
If your organization operates internet-facing web applications and does not have a WAF deployed and actively managed, your NCA ECC subdomain 2-4 control is open. Book a free web application security assessment with ITBuilders. We will inventory your internet-facing applications, assess your current WAF posture, and design a deployment model that satisfies NCA ECC, CSCC where applicable, and SAMA application security requirements.
Call: 920-020-750
Email: [email protected]
Or visit: · ·
[1] OWASP Foundation, "OWASP Top Ten Web Application Security Risks." https://owasp.org/www-project-top-ten/
[2] Saudi Data and AI Authority (SDAIA), Personal Data Protection Law (PDPL). https://sdaia.gov.sa/en/SDAIA/about/Pages/PersonalDataProtectionLaw.aspx
[3] Claranet Cyber Security, "Top 10 Web Application Vulnerabilities Found in 2024," January 2025. https://www.claranet.com/us/blog/2025-01-07-claranet%E2%80%99s-top-10-web-application-vulnerabilities-found-2024
[4] National Cybersecurity Authority (Saudi Arabia), Essential Cybersecurity Controls (ECC – 1:2018), Subdomain 2-4 Web Application Protection. https://nca.gov.sa/ecc-en.pdf
[5] National Cybersecurity Authority (Saudi Arabia), Critical Systems Cybersecurity Controls (CSCC – 1:2019), internet-facing application protection requirements. https://cdn.nca.gov.sa/api/public/cms/files/f15af01c-dc59-4281-95e2-03a770655937_Critical-Systems-Cybersecurity-Controls.pdf
[6] Saudi Central Bank (SAMA), Cyber Security Framework, Version 1.0, May 2017. https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf
[7] National Cybersecurity Authority (Saudi Arabia), Essential Cybersecurity Controls (ECC 2:2024). https://nca.gov.sa/en/regulatory-documents/controls-list/ecc/

Data breaches in the Middle East remain the second costliest globally, averaging SAR 27 million per incident in 2025. While adoption of AI and encrypt...

Outsourcing security shapes your risk posture for years. A practical checklist for choosing an MSSP — from 24/7 SOC capability and response SLAs to l...

What the Saudi Central Bank's Cybersecurity Framework requires of financial institutions — its four domains, the six-level maturity model, and how to ...