Modern applications are difficult to secure. Whether they are web or mobile, custom developed or SaaS-based, applications are now scattered across different platforms and frameworks. To accelerate service development and business operations, applications rely on third-party resources that they interact with via APIs, well-orchestrated by state-of-the-art automation and synchronisation tools. As a result, the attack surface becomes greater as there are more blind spots for network security – higher exposure to risk.
Applications, as well as APIs, must be protected against an expanding variety of attack methods and sources and must be able to make educated decisions in real-time to mitigate automated attacks. Moreover, applications constantly change, and security policies must adapt just as fast. Otherwise, businesses face increased manual labour and operational costs, in addition to a weaker security posture.
The Web Application Firewall Ten Commandments
The OWASP Top 10 list serves as an industry benchmark for the application security community and provides a starting point for ensuring protection from the most common and virulent threats, application misconfigurations that can lead to vulnerabilities, and detection tactics and mitigations. It also defines the basic capabilities required from a Web Application Firewall in order to protect against common attacks targeting web applications like injections, cross-site scripting, CSRF, session hijacking, etc. There are numerous ways to exploit these vulnerabilities, and WAFs must be tested for security effectiveness.
However, vulnerability protection is just the basics. Advanced threats force application security solutions to do more.
Challenge 1: Bot Management
52% of internet traffic is bot-generated, half of which is attributed to “bad” bots. Unfortunately, 79% of organisations can’t make a clear distinction between good and bad bots. The impact is felt across all business arms as bad bots take over user accounts and payment information, scrape confidential data, hold up inventory and skew marketing metrics, thus leading to wrong decisions. Sophisticated bots mimic human behaviour and easily bypass CAPTCHA or other challenges. Distributed bots render IP-based and even device fingerprinting based protection ineffective. Defenders must level up the game.
Challenge 2: Securing APIs
Machine-to-machine communications, integrated IoTs, event-driven functions and many other use cases leverage APIs as the glue for agility. Many applications gather information and data from services with which they interact via APIs. Threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. Businesses tend to grant access to sensitive data, without inspecting nor protect APIs to detect cyberattacks. Don’t be one of them.
Challenge 3: Denial of Service
Different forms of application-layer DoS attacks are still very effective at bringing application services down. This includes HTTP/S floods, low and slow attacks (Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. Driven by IoT botnets, application-layer attacks have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down.
Challenge 4: Continuous Security
For modern DevOps, agility is valued at the expense of security. Development and roll-out methodologies, such as continuous delivery, mean applications are continuously modified. It is extremely difficult to maintain a valid security policy to safeguard sensitive data in dynamic conditions without creating a high number of false positives. This task has gone way beyond humans, as the error rate and additional costs they impose are enormous. Organisations need machine-learning-based solutions that map application resources, analyse possible threats, create and optimise security policies in real-time.
Protecting All Applications
It’s critical that your solution protects applications on all platforms, against all attacks, through all the channels and at all times. Here’s how:
- Application security solutions must encompass web and mobile apps, as well as APIs.
- Bot Management solutions need to overcome the most sophisticated bot attacks.
- Mitigating DDoS attacks is an essential and integrated part of application security solutions.
- A future-proof solution must protect containerised applications, serverless functions, and integrate with automation, provisioning and orchestration tools.
- To keep up with continuous application delivery, security protections must adapt in real-time.
- A fully managed security service should be considered to remove complexity and minimise resources.
Radware is a global leader in application delivery and cyber security solutions for virtual, cloud and software-defined data centres. Its award-winning solutions portfolio delivers service level assurance for business-critical applications while maximising IT efficiency. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down.