Story image

Securing the pervasive web properties and applications

21 Nov 2017

Organisations are building and buying web applications more aggressively than ever, to stay relevant and competitive in today’s digital marketplace. Although revenue-generating external applications command great attention, the internal applications like those for SCM, HR and R&D, serve as the conduits to sensitive information such as customer data, proprietary product specifications, payroll records and other personally-identifiable information. 

These web applications are also under enormous security risks due to the high degree of complexity, regular use of embedded, third-party libraries, routine incorporation of new protocols and features, and business emphasis on rapid time-to-market over enhancing code quality to reduce vulnerabilities.

A global study from Citrix and The Ponemon Institute reveals that 79 per cent of the participants are worried about security breaches involving high-value information and 89 percent believe that the complexity of business and IT operations puts their organisation at a security risk.  

According to Gartner, 90 per cent of current applications will still be in use in 2023. That means there are going to be tens of thousands of applications that will need to be assessed and secured, as attackers often only need to find a single weak link to topple all the IT dominoes. 

With countless combinations of commercially-available and custom-built web apps, it is unrealistic to expect that security technologies using only broad-spectrum rules and mechanisms can fully protect them. Security teams also need tools that offer greater flexibility, deeper granularity of inspection and control. 

For this, organisations need access to real time vulnerability information, and technologies that deliver complete physical coverage (protection for all use cases), functional coverage (detection/prevention of threats) and logical coverage (protection across all layers of the computing stack). Establishing comprehensive coverage such as this requires investing in more than just ordinary network firewalls and intrusion prevention systems (IPSs). 

It’s important to understand the security tools available today to tackle the cyber threats for web applications.

Network intrusion prevention systems

Typically offering little in the way of access control capabilities, network IPS technology is focused on detecting threats from unauthorised access.

The broad-spectrum mechanisms this technology relies on include signatures for known vulnerabilities, and protocol anomaly detection for suspected malicious activities and unknown threats. While the coverage is typically provided up to the application services layer and for all common Internet protocols, it may not be able to identify any behavioural anomaly at the user-end.  

Next-generation firewalls

The next-generation firewall (NGFW) combines the capabilities of network firewalls and IPSs in a single solution. To these capabilities, the NGFW typically adds user and application identity as attributes for controlling access to/from a network. 

Although NGFWs deliver enhanced access control capabilities and an opportunity to eliminate numerous single-technology appliances, the breadth and depth of coverage are simply not sufficient to protect most web properties from increasingly sophisticated and targeted attacks. The ability to reliably identify applications regardless of the port and protocol being used, remains a shortcoming.

The web application firewall – master of the app domain

The web application firewall (WAF) picks up where other security technologies leave off. A cloud and IPS based protection platform, WAF decides by activity to send a user to the application or to block them. It intercepts and inspects all incoming HTTP/HTTPS requests to a website, and thereby helps secures Static, Dynamic, E-commerce, ERP, CRM or any kind of web application irrespective of their platforms. 

WAFs are unique in their ability to validate inputs; detect cookies, session or parameter tampering attacks; block attacks and stop exfiltration of sensitive data through object-level identification and blocking. This is achieved by automated learning routines supplemented by manually-configured policies, to enable the understanding of how each protected web application works characteristically.

The most commonly deployed security technologies like Network Firewalls and IPSs are useful for screening out high volumes of low-layer threats, however, they are unable to sufficiently cover web applications. Although no single security technology provides complete protection for web applications, combining NGFWs with WAFs proves to be an efficient way to establish powerful, full-spectrum threat protection for all important web properties of an organisation.

Article by Safi Obeidullah, director, sales engineering (A/NZ), Citrix.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.