Retrospective
The scale, composition, and structure of cyberthreats to applications are rapidly evolving. For many years, users have accessed web applications over the Internet using popular web browsers. It was necessary to support 2-5 web browsers at any given time, and the set of standards for developing and testing web applications was quite limited. For example, almost all databases were built using SQL. Unfortunately, after a short time, hackers learned to use web applications to steal, delete or change data. They hacked into and abused the app's capabilities using a variety of techniques, including defrauding app users, injecting and remotely testing code. Commercial web application firewalls, called Web Application Firewalls (WAFs), soon appeared on the market, and society responded by creating an open source web application security project, the Open Web Application Security Project (OWASP), to define and maintain development standards and methodologies. secure applications.
Basic application protection
is the starting point for protecting applications and contains a list of the most dangerous threats and misconfigurations that can lead to application vulnerabilities, as well as tactics for detecting and repelling attacks. The OWASP Top 10 is a recognized benchmark in the application cybersecurity industry worldwide and defines the basic list of features that a web application protection (WAF) system should have.
In addition, WAF functionality should address other common web application attacks, including cross-site request forgery (CSRF), clickjacking, web scraping, and file inclusion (RFI/LFI).
Threats and challenges of modern application security
To date, not all applications are executed in the network version. There are cloud apps, mobile apps, APIs, and in the latest architectures, even custom software features. All these kinds of applications need to be synchronized and controlled as they create, modify and process our data. With the advent of new technologies and paradigms, new complexities and challenges arise at all stages of the application life cycle. This includes development and operations (DevOps) integration, containers, Internet of Things (IoT), open source tools, APIs, and more.
The distributed deployment of applications and the diversity of technologies creates complex and complex challenges not only for information security professionals, but also for security vendors who can no longer rely on a unified approach. Application protections must be business-specific to prevent false positives and compromise the quality of service for users.
The ultimate goal of hackers is usually either to steal data or disrupt the availability of services. Attackers also benefit from technological evolution. First, the development of new technologies creates more potential gaps and vulnerabilities. Secondly, they have more tools and knowledge to bypass traditional defenses in their arsenal. This greatly increases the so-called βattack surfaceβ and the exposure of organizations to new risks. Security policies must constantly change to keep pace with changes in technology and applications.
Thus, applications must be protected from an ever-growing variety of attack methods and sources, and automatic attacks must be repelled in real time based on informed decisions. As a result, transaction costs and manual labor are rising amid a weakened security posture.
Task #1: Bot Management
More than 60% of internet traffic is generated by bots, half of which is βbadβ traffic (according to ). Organizations are investing in increased network bandwidth, essentially servicing a dummy load. A precise distinction between real user traffic and bot traffic, as well as βgoodβ bots (such as crawlers and price comparison services) and βbadβ bots, can translate into significant cost savings and improved user experience.
Bots are not going to make this easy, and they can mimic the behavior of real users, bypass CAPTCHAs and other obstacles. Moreover, in the case of attacks using dynamic IP addresses, protection based on IP address filtering becomes ineffective. Often, open source development tools (for example, Phantom JS) that can process client-side JavaScript are used to launch brute-force attacks (brute-force), stuffing attacks (credential stuffing), DDoS attacks and automatic bot attacks .
Effectively managing bot traffic requires a unique identification of its source (like a fingerprint). Since a bot attack generates multiple records, its fingerprint can identify suspicious activity and assign scores based on which the application protection system makes an informed decision - block / allow - with a minimum rate of false positives.
Challenge #2: Protecting the API
Many applications collect information and data from services they interact with via APIs. When transferring sensitive data via API, more than 50% of organizations do not check or protect APIs to detect cyber attacks.
API usage examples:
- Internet of Things (IoT) integration
- Machine-to-Machine Communication
- Serverless environments
- Mobile Apps
- Event Driven Applications
API vulnerabilities are similar to application vulnerabilities and include injections, protocol attacks, parameter manipulation, redirects, and bot attacks. Dedicated API gateways help ensure interoperability between application services that communicate through APIs. However, they do not provide end-to-end application security, as WAF does with the necessary security tools, such as HTTP header parsing, Layer 7 access control list (ACL), JSON/XML payload parsing and validation, and protection against all vulnerabilities from OWASP Top 10 list. This is achieved by inspecting API key values ββusing positive and negative models.
Challenge #3: Denial of Service
The old attack vector, denial of service (DoS), continues to prove effective in attacking applications. Attackers have a range of successful techniques for disrupting application services, including HTTP or HTTPS floods, low-powered and slow attacks (βlow-and-slowβ, e.g. SlowLoris, LOIC, Torshammer), dynamic IP attacks, buffer overflows, brute force attacks, and many others. With the development of the Internet of Things and the subsequent advent of IoT botnets, attacks on applications have become the main focus of DDoS attacks. Most stateful WAFs can only handle a limited amount of load. However, they can inspect HTTP/S traffic flows and remove attack traffic and malicious connections. Once an attack is detected, there is no point in re-passing this traffic. Since WAF bandwidth is limited to repel attacks, an additional solution is needed at the network perimeter to automatically block the next "bad" packets. For a given security scenario, both solutions must be able to communicate with each other to exchange information about attacks.
Fig 1. Organization of comprehensive network and application protection using the example of Radware solutions
Challenge #4: Continuous Protection
Applications are subject to change frequently. Development and implementation methodologies, such as continuity of updates, mean that modifications are made without human involvement and control. In such a dynamic environment, it is difficult to maintain adequately functioning security policies without a high number of false positives. Mobile apps are updated much more frequently than web apps. Third party applications may change without your knowledge. Some organizations are looking to gain more control and visibility to stay on top of potential risks. However, this is not always achievable, and reliable application protection must use the power of machine learning to account for and visualize existing resources, analyze potential threats, and create and optimize security policies in case of application modification.
Conclusions
As applications play an increasingly important role in everyday life, they are becoming a prime target for hackers. The potential jackpot for attackers and potential losses for business are huge. The complexity of the task of securing applications cannot be overstated given the number and variation of applications and threats.
Fortunately, we are at a point in time where artificial intelligence can come to our rescue. Algorithms based on machine learning provide real-time adaptive protection against the most advanced cyber threats to applications. They also automatically update security policies to protect web, mobile, and cloud applicationsβas well as APIsβwithout false positives.
It is difficult to accurately predict what the next generation of application cyber threats (perhaps also based on machine learning) will be like. But organizations can certainly take steps to protect customer data, intellectual property, and ensure service availability with great business benefit.
Effective approaches and methods for ensuring application security, the main types and vectors of attacks, risk areas and gaps in web application cyber protection, as well as global experience and best practices are presented in the Radware study and report β".
Source: habr.com