Web applications are programs stored on a remote server, delivered via the internet to a client through an interface in a browser.
There are challenges in protecting applications. And the technology background explains why.
In the early days of the internet, websites were static. Basically, what you had was a browser that read an html and assembled the page for users to navigate. In those early days, user interaction with the site was minimal and very limited. And security was reduced to a layer 3 or 4 firewall, which protected the web server from accessing other ports besides 80/443 (where http access occurs by default).
That is why, at that time, most attacks were aimed at exploiting vulnerabilities in the components of the service that was running on the web server, and not in the code of the website itself.
In the 1990s, this started to change, with web servers accepting server-side scripts. User interaction with the site started to exist, which allowed the emergence of the first applications, such as e-commerce, webmail, blogs, forums.
And here is the first point of attention. The static website, the first super simple applications, and today's super complex applications, running PYTHON, JAVA, HTML5, PHP, ASP, RUBY, depend on the same protocol to work: good old http.
The problem is that http was not created with the idea of being a protocol to support all this complexity. Which makes the foundation, the foundation of today's web applications, the same as it was 30 years ago.
Web applications are essential tools for business
Data and information is the new money. Which has made web applications prime targets for hackers. They are easily accessible via the internet while connecting users to corporate databases. So what separates the user, whether legitimate or malicious, from unrestricted access to corporate information is the web application.
Therefore, it is not an exaggeration to say that there will always be someone trying to attack an application. And since today's operating systems have constant update policies, it is easier to find an open door in the application than in the infrastructure.
In that context, what better protects the application?
If we look at the OSI model, we can say that the traditional firewall is not an option. It usually works by seeing only network information, so it has no idea what's happening in the application since its decisions are based on port, protocol and IP address.
Is a next generation firewall enough? They are certainly better than traditional ones, as they add more context to decisions and have capabilities like IPS, web filtering, anti-virus and anti-malware, which simplify and improve security management. But they still have their main focus below layer 7. Many attacks will pass through the NGFW without difficulty.
So who is left?
WAF
The WAF - Web Application Firewall - will protect web applications against non-volumetric attacks at both the application and network layers.
So when we talk about application protection, the best solution is always a WAF, because it is made to specifically protect this part of the traffic that arrives for web applications. So much so that the WAF does not replace the perimeter firewall. A company will still need one in its network.
The WAF will compensate, for example, insecure application developments. Let's say the company has 100 legacy applications, developed when there was not yet such a strong security concern. It will be much easier, more efficient and cheaper to protect those applications at once with a WAF than to try to securely recode them.
WAF will be able to apply a virtual patch to these applications. And because it can patch the application virtually, it is also an excellent tool to protect against zero-day threats.
Key vulnerabilities
Injection attacks, such as SQL injection, URL injection, LDAP injection, which are common and exploit flaws in the validation of data that the user is able to enter into the application. The attacker tries to make the application execute unauthorized commands or queries. A WAF would be able to identify the attack and block only the malicious packets, without affecting legitimate users who are using the application at the same time.
Exposure of sensitive data, which occurs when information known to be confidential is being sent by the application to the user. WAF can detect and block the transmission of the information in real time.
Cross site scripting. Two thirds of all applications have this vulnerability at some point in their code. The application uses an insecure piece of code that an attacker develops. Very common in pishing attacks aimed at stealing access credentials, for example.
Use of vulnerable components. Today, developers use various components developed by third parties in applications and have no idea of the code that is being executed behind.
A WAF will be able to patch the application code "on the fly". It can embed a CAPTCHA into the application dynamically. That is, instead of redoing application by application to insert a CAPTCHA into data entry forms, your waf can do it for you with the click of a mouse.
Or, WAF can determine if the user accessing the application is a bot, and take actions such as blocking access. It also works with threat intelligence. An attack made on the other side of the world that goes into a threat intelligence database can be blocked in the enterprise without the WAF ever having seen that attack before, with no prior configuration required.
False positives
Many people may think that such a tool will generate a large amount of false positives. Actually, it is the opposite: the amount of false positives is very small. And there is still the possibility to activate in learning mode, so the WAF understands how the application of that business works before starting to block traffic outside the normal and legitimate operation of the application.
If you need more information, contact us. We want to help protect your business.