Are your web applications protected from cyber threats? Theft of consumer data from popular websites was featured prominently in the news in 2016. Yahoo! announced that it had yet another massive attack with data from more than 1 billion user accounts compromised, making it the largest breach in history. This blog is the second of a series covering protection of your content, applications, and access to them, and will discuss the state of web application threats and defense strategies.
Most observers expect the frequency of cyber-attacks to increase during 2017, part of the reason being the ease by which attacks against web applications can be launched. The application layer is hard to defend, being exposed to the outside world. This is because in order for an application to function, it must be accessible over Ports 80 (HTTP) and 443 (HTTPS). For a good discussion and demonstration of how the most common web application attacks are performed, read the article and watch the embedded videos from SecurityIntelligence.
Defending Against Web Application Attacks
There are two fundamental ways to protect against attacks: On premise Web Application Firewall (WAF) network nodes, and cloud-based protection. On premise hardware based WAF network nodes deployed between the internet and an organization’s network, have been a popular solution. These devices contain software that can detect the signatures of attacks, and only pass legitimate traffic through to the network. Because all traffic to a website must pass through the WAF so it can detect and block attacks, there is a significant impact on performance of web applications. The reality is on premise WAF nodes are almost passé.
What is rapidly becoming the go to solution is cloud-based defense. This is implemented by locating WAF nodes between origin servers and a global Content Delivery Network (CDN), which does the heavy work of content caching, web acceleration, and delivery of static content to websites. Web app attacks are dynamic, so this is the only traffic the CDN forwards to the WAF nodes. This minimizes the performance impact of WAF protection, and locks down IP traffic, as the WAF only accepts traffic from the CDN. The WAF detects attacks by filtering traffic according to rules from the Open Web Application Security Project (OWASP) ten most critical application security risks. In addition, a security operations centers monitors dark Internet blogs and industry bulletin boards for new threats. When a new vulnerability is identified, an operations center creates a new security rule and pushes it to all WAF nodes. Even “zero-day” attacks can be closed prior to app vendor patches. The scalable cloud-based architecture results in a low total cost of protection of WAF services.
Best Practices Right Now
It will take time for the necessary application security vulnerabilities to be patched. In the meantime there are steps organizations can take to protect themselves.
- Implement the latest state of the art web application cyber-attack defenses. This means at the very least cloud-based protection integrated with a CDN.
- Make sure all web application patches are installed. If you have custom web applications, understand how the popular cyber-attacks are architected as described in the article from SecurityIntelligence, and that your applications are designed to prevent these attacks.
More to Come
The next blog in this series will cover securing content in motion with HTTPS. Also, as part of this series will be updates on events that may occur related to security issues. See you here next week!