Securing the pervasive web properties and applications
Organisations are building and buying web applications more aggressively than ever, to stay relevant and competitive in today’s digital marketplace. Although revenue-generating external applications command great attention, the internal applications like those for SCM, HR and R&D, serve as the conduits to sensitive information such as customer data, proprietary product specifications, payroll records and other personally-identifiable information.
These web applications are also under enormous security risks due to the high degree of complexity, regular use of embedded, third-party libraries, routine incorporation of new protocols and features, and business emphasis on rapid time-to-market over enhancing code quality to reduce vulnerabilities.
A global study from Citrix and The Ponemon Institute reveals that 79 per cent of the participants are worried about security breaches involving high-value information and 89 percent believe that the complexity of business and IT operations puts their organisation at a security risk.
According to Gartner, 90 per cent of current applications will still be in use in 2023. That means there are going to be tens of thousands of applications that will need to be assessed and secured, as attackers often only need to find a single weak link to topple all the IT dominoes.
With countless combinations of commercially-available and custom-built web apps, it is unrealistic to expect that security technologies using only broad-spectrum rules and mechanisms can fully protect them. Security teams also need tools that offer greater flexibility, deeper granularity of inspection and control.
For this, organisations need access to real time vulnerability information, and technologies that deliver complete physical coverage (protection for all use cases), functional coverage (detection/prevention of threats) and logical coverage (protection across all layers of the computing stack). Establishing comprehensive coverage such as this requires investing in more than just ordinary network firewalls and intrusion prevention systems (IPSs).
It’s important to understand the security tools available today to tackle the cyber threats for web applications.
Network intrusion prevention systems
Typically offering little in the way of access control capabilities, network IPS technology is focused on detecting threats from unauthorised access.
The broad-spectrum mechanisms this technology relies on include signatures for known vulnerabilities, and protocol anomaly detection for suspected malicious activities and unknown threats. While the coverage is typically provided up to the application services layer and for all common Internet protocols, it may not be able to identify any behavioural anomaly at the user-end.
The next-generation firewall (NGFW) combines the capabilities of network firewalls and IPSs in a single solution. To these capabilities, the NGFW typically adds user and application identity as attributes for controlling access to/from a network.
Although NGFWs deliver enhanced access control capabilities and an opportunity to eliminate numerous single-technology appliances, the breadth and depth of coverage are simply not sufficient to protect most web properties from increasingly sophisticated and targeted attacks. The ability to reliably identify applications regardless of the port and protocol being used, remains a shortcoming.
The web application firewall – master of the app domain
The web application firewall (WAF) picks up where other security technologies leave off. A cloud and IPS based protection platform, WAF decides by activity to send a user to the application or to block them. It intercepts and inspects all incoming HTTP/HTTPS requests to a website, and thereby helps secures Static, Dynamic, eCommerce, ERP, CRM or any kind of web application irrespective of their platforms.
WAFs are unique in their ability to validate inputs; detect cookies, session or parameter tampering attacks; block attacks and stop exfiltration of sensitive data through object-level identification and blocking. This is achieved by automated learning routines supplemented by manually-configured policies, to enable the understanding of how each protected web application works characteristically.
The most commonly deployed security technologies like Network Firewalls and IPSs are useful for screening out high volumes of low-layer threats, however, they are unable to sufficiently cover web applications. Although no single security technology provides complete protection for web applications, combining NGFWs with WAFs proves to be an efficient way to establish powerful, full-spectrum threat protection for all important web properties of an organisation.
Article by Safi Obeidullah, director, sales engineering (A/NZ), Citrix.