Practical Considerations for Protecting Web Applications
By Tin Zaw, Director of Security Solutions, Verizon Digital Media Services
As consumers pour more of their personal details onto the web, cybersecurity has become more of a priority for companies large and small than ever before. However, protecting consumers is about more than writing solid code. Even airtight programs require protection after their deployment.
Here are some reasons why:
Framework vulnerabilities. Most programs aren’t coded from scratch; they use a framework like Apache Struts or Ruby on Rails as a base. Even if the programmer’s code is correct, there could still be an underlying issue with the framework, and this happens from time to time. Recent examples include Struts vulnerabilities such as CVE-2017-9805 and CVE-2017-5638, both of which enable an attacker to execute arbitrary code on the server.
Malicious requests. Let’s assume a program is secure, effectively evading attacks at every turn. Even so, the malicious requests that come from bots and attackers to your program make their mark, slowing down website performance and affecting user experience. Protection is needed to block that noise, serving as an additional barrier before it gets to the program at all.
Legitimate features can host hidden issues. Even if the program’s login page or payment application are secure on day one, there’s no guarantee that they’ll stay that way after being released into the world. Features that deal with a user’s password or payment information may be legitimate, but are among the most easily exploited, and need to be monitored regularly.
Actual exploits. Of course, these are all preludes to the real possibility that somebody manages to figure out how to crack the program for ill intent. Technology is always marching forward, and with those advances come new ways for bad actors to create exploits. As we need to remain vigilant on a daily basis, we need to automate the protection.
Web Application Firewalls have become an integral part of standard deployment in securing web applications. As a WAF becomes vital, how do you choose the right one? My years of experience in developing and protecting web applications have taught me what best practices developers should consider when choosing a WAF:
Visibility. Web security isn’t all in black and white. Apart from obviously innocent traffic and obviously malicious traffic, there’s also a gray area—and in my experience, a good part of application traffic fits into this category. It’s important to choose a WAF that doesn’t just offer visibility into the good and bad traffic, but the suspicious traffic, too. If developers are not being shown the gray area, they’re not being shown the full picture.
Transparency. Open source software is popular because there’s no black magic behind the scenes: any developer who is part of the project can review the entire log of features and changes. For anything an open source project does, there’s an explanation of their reasoning, and even an established criteria in calling out issues. At Verizon Digital Media Services, we adopted an open source product called Mod Security to serve as the base of our bespoke WAF product because we find that kind of openness to be essential in cybersecurity.
Agility. Like my colleague Richard Yew has previously explained, the agility to pivot and respond quickly to urgent threats and implement rapid fire security updates is essential. A truly agile WAF will offer not only the speed to make these changes, but instant visibility into the real-time situation, plus the ability to execute such changes programmatically instead of manually.
Access. A WAF that follows best practices ought to give customers all the same management tools that the WAF’s security professionals have. While white-glove, around-the-clock customer service is also vital, there are many times at which the task at hand is simple enough that it’d be in the best interest of the customer to make the change his or herself. A good WAF won’t have a dumbed-down version of the professional interface for customers, but the same level of accessibility and detail.
Scalability. A standalone WAF works for a program that’s experimental or just getting started, but when it comes to mature applications, it’s better to look for a WAF that is integrated with a content delivery network (CDN). Popular websites and services need CDNs to scale up their content to enormous audiences, without anybody experiencing lag. A WAF on a packed site needs CDN integration to stay effective.
At Verizon Digital Media Services, we leverage our cloud-based global infrastructure into one of the most advanced WAFs on the market. We’ve put a lot of time and effort into tweaking our WAF because we know how vital it is to have one and to follow best practices.
Now that you know what to look for, learn more about how a WAF fits into Verizon Digital Media Services’ layered security system.
Looking for even more information on cybersecurity? Join us for a live webinar as we discuss how to adapt your web security to today’s evolving cyber threatscape.