You Asked the Questions, We’re Giving You the Answers!
OverviewIn a series of responses to a yearlong survey, we heard all sorts of cybersecurity related questions and we’d like to help our community by digging into these questions and providing some insight and answers. Naturally, we had to do some “sorting out” but one main topic of conversation was Web Application Security and how to protect our most valuable resources and private information. We took some of your questions and have answered them in a way that we hope addresses your concerns but also provides you with a path to consider when taking steps on your own to resolve these highly important cybersecurity concerns.
So, how can we win the battle for secured web application delivery? In today’s application-centric world, there’s truly an app for everything. Organizations offer applications with data access to employees and consumers to drive greater productivity, meet business demands, and ultimately achieve a competitive advantage. But as organizations deliver more and more sensitive data through applications, they’re also introducing ever-increasing risk. That’s because today’s users are everywhere—frequently outside the corporate network—and the apps they rely on can be anywhere, from private data centers to the public cloud. The result is less visibility and control for the organization. It’s no surprise that cybercriminals are taking advantage of this exposure by targeting these applications, which exist largely outside the sphere of traditional security protections like firewalls, antivirus software, and TLS/SSL encryption.
What are the greatest threats facing us today? Whether it’s a volumetric denial-of-service (DoS) attack, browser-based malware, or an advanced persistent threat, today’s application attacks are really gambits to obtain or compromise corporate data. As more and more data is encrypted traffic, the majority of today’s security tools are running blind, unable to decrypt that data to ensure it’s not malicious. Traditionally, the approach to application security has been focused on the software development lifecycle (SDLC), trying to ensure developers are following best practices for secure coding. While secure code is still a core piece of the overall security puzzle, it’s not the whole picture. The old security perimeter continues to dissolve as more endpoints and networks fall outside of conventional enterprise network footprints, while the risks to applications and sensitive corporate data continue to evolve. Security measures must be enhanced to ensure apps are secured everywhere.
The vast majority of attacks today target the application level—but enterprises are not making corresponding security investments at that level. It’s time for organizations to come to terms with a new reality: Security needs to be more focused at the app level. We are dedicated to elevating the awareness level and this article will provide you with much of the needed data points which will help you articulate these facts management and secure the budget necessary to accomplish your objectives.
A Risk-Based Approach to Application SecurityIs there a process for evaluating your web application for risk instead of vulnerability? Looking at application security from this risk-based perspective enables organizations to focus on component failures and helps provide the most robust security for the data that’s the ultimate target of most attacks. By analyzing all the components that make up an application, organizations can develop a strategy that delivers the strongest, most appropriate security to the app as a whole. Because compromising one component of an app or the network delivering it —whether a code vulnerability, network availability, or DNS—endangers the entire application, as well as the data it houses.
Critical Components of Application SecurityWhen do hackers chose an alternate target in their effort to attack and why? It’s vital for organizations to deploy the strongest possible set of application security controls to reduce the risk of sensitive data being compromised by an application-level attack. Key components of a proactive, defense-in-depth security posture for the application perimeter include application security testing, firewall services, access controls, and specific protection against various types of threats. A consistent approach to these assessments and processes make it more difficult to be compromised and far less attractive to the “would be bad-guys.” So, do the right thing, get the vulnerability assessment first and understand the finding before spending a single dime. Any money thrown at resolving a problem before getting the data need to validate and prioritize criticality is simply not best business practice and could be considered grounds for termination. In an effort to avoid such unpleasantries, let’s take a look at these following areas of concern.
Application Security TestingWhat can we do as Administrators to be better prepared and automate processes that will lessen the likelihood of being compromised? Software security is still a cornerstone of an overall application protection strategy. Organizations must ensure that new websites and software are coded securely, but they must also address the countless vulnerabilities already present in existing websites that were built without a secure software development lifecycle. It’s important to remember that finding and fixing vulnerabilities isn’t an academic exercise; it’s all about keeping a sentient attacker out of enterprise systems and away from the data those systems protect. But without a clear picture of the adversaries and their tactics, security professionals will have a difficult time developing effective strategies to defeat them. Going forward, it will be imperative that more people working in the security community better understand software—and software security. US ProTech offers US DOC Validated vulnerability scanners to help identify and mitigate software issues, whether they are found before or after new websites and web applications go live online. Organizations can obtain the best protection, however, by integrating a robust vulnerability scanner service with a full proxy web application firewall coupled by regular penetration testing which should be done (at a minimum) once a year for all the correct reasons.
Web Application FirewallSpeaking about Firewalls, how can we benchmark Good, Better and Best in the growing world of options for Next-Generation Firewalls before we make the wrong recommendation to our superiors? Today, a robust and agile web application firewall (WAF) isn’t a luxury—it’s a necessity. The growth of cloud-hosted web applications has been accompanied by increasingly sophisticated security attacks and risks that threaten enterprise data. A hybrid web application firewall can help enterprises defend themselves against OWASP Top 10 threats, application vulnerabilities, and zero-day attacks—no matter where applications are located. Strong layer 7 distributed denial-of service (DDoS) defenses, detection and mitigation techniques, virtual patching, and granular attack visibility can thwart even the most sophisticated threats before they reach network servers. In addition, having the ability to detect and block attackers before they access an enterprise data center provides a major advantage. A powerful web application firewall that can stop malicious activity at the earliest stage of a potential attack allows organizations to significantly reduce risk as well as increase data center efficiency by eliminating the resources spent processing unwanted traffic.
Enterprises Should Look for a Web Application Firewall That:
1. Provides a proactive defense against automated attack networks.
2. Identifies suspicious events by correlating malicious activity with violations.
3. Delivers easy-to-read reports to help streamline compliance with key regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and Sarbanes-Oxley.
4. Integrates with leading dynamic application security testing (DAST) scanners for immediate patching of vulnerabilities.
SSL Inspection and the Race to EncryptionWhat major technology adoption trends will happen in 2017 that you won’t want to miss? Today, SSL is everywhere. Analysts predict that encrypted traffic will jump to nearly 64 percent of all North American online traffic in 2016, up from just 29 percent in 2015. Organizations are scrambling to encrypt the majority of traffic, including everything from email and social media to streaming video. The level of security provided by SSL is enticing, but at the same time, it has become a vulnerability vector as attackers use SSL as a way to hide malware from security devices that cannot see encrypted traffic.
Stealth Networking and Inspecting Encrypted PacketsIs there a way to use encryption in a way that still allows for deep packet inspection? Yes, it called Stealth Networking and it’s available right now through US ProTech and Intelli-Flex. Enterprise security solutions must gain visibility into this encrypted traffic to ensure that it is not bringing malware into the network. One way to battle these encrypted threats is to deploy an SSL “air gap” solution, which consists of placing an Application Delivery Controller (ADC) on either side of the visibility chain. The ADC closest to the users decrypts outbound traffic and sends the decrypted communications through the security devices. These devices, which can now see the content, apply policies and controls, detecting and neutralizing malware. At the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center. This solution provides the flexibility of keeping security devices in line while ensuring that they can do the job they were built for.
DDoS ProtectionAre old cybersecurity threats that have been around for decades - still a threat? Yes, indeed they are! Today, most apps are Internet based, so a volumetric DDoS attack can cripple—or even take down—an application. DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of enterprises around the world. These attacks combine high-volume traffic clogging with stealthy, application-targeted techniques—all with the intent of disrupting service for legitimate users. Organizations must ensure they have a robust DDoS protection strategy in place to ensure the availability of their critical applications. Consider solutions that offer comprehensive, multi-layered L3 through L7 protection and can stop DDoS attacks in the cloud before they reach the network and the data center.
DNS SecurityWhat can I do to help hide my environments and is there value in 3rd party offerings to do so? While not a part of the traditional, secure-coding view of application security, an enterprise’s DNS strategy plays a huge role in the security and availability of its applications. DNS is the backbone of the Internet, as well as one of the most vulnerable points in an organization’s network. Organizations must protect against an ever-growing variety of DNS attacks, including DNS amplification query floods, dictionary attacks, and DNS poisoning. An enterprise can ensure that customers—and employees—can access critical web, application, and database services whenever they need them with a solution that intelligently manages global traffic, mitigates complex threats by blocking access to malicious IP domains, and integrates seamlessly with third-party vendors for implementation such as with US ProTech, they even offer centralized management, and secure handling of DNSSEC keys. US ProTech solutions also deliver high-performance DNS, which can scale quickly to better absorb DDoS attacks.
Web Fraud DetectionCan someone please show me a better way to capture, monitor and implement corrective action plans against anomalies linked to massive fraud? Fifty years ago, if you wanted to rob a bank, you had to actually go to the bank. Now, you can rob a bank from 5,000 miles away. The global nature of the Internet means that everything is equidistant to the adversary, and financial institutions are some of the highest-value targets on the Internet. To effectively combat the perils of fraud, organizations that offer financial services over the Internet must defend their businesses with a combination of security technologies. Consider a US ProTech solution that helps protect against a full range of fraud threat vectors, preventing attackers from spoofing, disabling, or otherwise bypassing security checks. Organizations can thereby reduce the risk of financial and intellectual property loss—and feel secure with proactive protection against emerging web threats and fraud.
Access Controls“I AM” is the shortest sentence in the English language. But failing to deploy Identity Access Management may be the fastest way to get “fired.” Some of the most recent and damaging security breaches have been due to compromised user and administrator credentials. These breaches may have been thwarted by authenticating and authorizing the right people to the right information and ensuring secure connectivity to applications with single sign-on and multi-factor authentication technologies. Furthermore, identity and access controls centralized by the enterprise can provide secure authentication between the enterprise network and applications based in the cloud or as Software as a Service (SaaS).
The Future of Application ProtectionApplication protection is fraught with complexity, and with the exponential growth of the Internet of Things and the applications that go along with it, the issues are only growing. In 2010, there were 200 million web apps; today, there are nearly a billion. In 2020, that could easily be five billion. All those applications are vulnerability vectors—and many of them contain critical data that could be the target of attackers. By enhancing existing security portfolios with solutions and services focused on the application level, organizations can better protect the applications that can expose their sensitive data. Ensuring that applications are protected no matter where they reside is critical—and the stakes are high. It’s time to broaden the view of application security so that organizations are in a better position to effectively secure all the components that make up their critical apps, safeguard their data, and protect their businesses. In an effort to make these recommendations a reality for our clients, prospects and readers of our whitepapers, US ProTech and Intelli-Flex offers a complimentary consultation coupled with two complimentary vulnerability scans (one internal & one external) so you can gain a baseline from which to start. Because remember, making technology decisions before gathering the knowledge of what your vulnerability poster is – is not a recommended cybersecurity remediation process. So please, give us a call and get started today on the path to knowledge.
Acknowledgements: Intelli-Flex thanks US ProTech, their partners and guest contributors who assisted in the development of this Whitepaper, namely, the U.S. Department of Commerce, the SANS Institute, UCLA, Lockheed Martin and F5.