Story image

Securing the pervasive web properties and applications

21 Nov 17

Organisations are building and buying web applications more aggressively than ever, to stay relevant and competitive in today’s digital marketplace. Although revenue-generating external applications command great attention, the internal applications like those for SCM, HR and R&D, serve as the conduits to sensitive information such as customer data, proprietary product specifications, payroll records and other personally-identifiable information. 

These web applications are also under enormous security risks due to the high degree of complexity, regular use of embedded, third-party libraries, routine incorporation of new protocols and features, and business emphasis on rapid time-to-market over enhancing code quality to reduce vulnerabilities.

A global study from Citrix and The Ponemon Institute reveals that 79 per cent of the participants are worried about security breaches involving high-value information and 89 percent believe that the complexity of business and IT operations puts their organisation at a security risk.  

According to Gartner, 90 per cent of current applications will still be in use in 2023. That means there are going to be tens of thousands of applications that will need to be assessed and secured, as attackers often only need to find a single weak link to topple all the IT dominoes. 

With countless combinations of commercially-available and custom-built web apps, it is unrealistic to expect that security technologies using only broad-spectrum rules and mechanisms can fully protect them. Security teams also need tools that offer greater flexibility, deeper granularity of inspection and control. 

For this, organisations need access to real time vulnerability information, and technologies that deliver complete physical coverage (protection for all use cases), functional coverage (detection/prevention of threats) and logical coverage (protection across all layers of the computing stack). Establishing comprehensive coverage such as this requires investing in more than just ordinary network firewalls and intrusion prevention systems (IPSs). 

It’s important to understand the security tools available today to tackle the cyber threats for web applications.

Network intrusion prevention systems

Typically offering little in the way of access control capabilities, network IPS technology is focused on detecting threats from unauthorised access.

The broad-spectrum mechanisms this technology relies on include signatures for known vulnerabilities, and protocol anomaly detection for suspected malicious activities and unknown threats. While the coverage is typically provided up to the application services layer and for all common Internet protocols, it may not be able to identify any behavioural anomaly at the user-end.  

Next-generation firewalls

The next-generation firewall (NGFW) combines the capabilities of network firewalls and IPSs in a single solution. To these capabilities, the NGFW typically adds user and application identity as attributes for controlling access to/from a network. 

Although NGFWs deliver enhanced access control capabilities and an opportunity to eliminate numerous single-technology appliances, the breadth and depth of coverage are simply not sufficient to protect most web properties from increasingly sophisticated and targeted attacks. The ability to reliably identify applications regardless of the port and protocol being used, remains a shortcoming.

The web application firewall – master of the app domain

The web application firewall (WAF) picks up where other security technologies leave off. A cloud and IPS based protection platform, WAF decides by activity to send a user to the application or to block them. It intercepts and inspects all incoming HTTP/HTTPS requests to a website, and thereby helps secures Static, Dynamic, E-commerce, ERP, CRM or any kind of web application irrespective of their platforms. 

WAFs are unique in their ability to validate inputs; detect cookies, session or parameter tampering attacks; block attacks and stop exfiltration of sensitive data through object-level identification and blocking. This is achieved by automated learning routines supplemented by manually-configured policies, to enable the understanding of how each protected web application works characteristically.

The most commonly deployed security technologies like Network Firewalls and IPSs are useful for screening out high volumes of low-layer threats, however, they are unable to sufficiently cover web applications. Although no single security technology provides complete protection for web applications, combining NGFWs with WAFs proves to be an efficient way to establish powerful, full-spectrum threat protection for all important web properties of an organisation.

Article by Safi Obeidullah, director, sales engineering (A/NZ), Citrix.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.