Internet connectivity has become the lifeblood of business. During the Covid-19 pandemic, this connectivity has enabled many organisations to remain operational, even when their physical offices were closed due to lockdown measures. Web storefronts benefited from the uplift in e-commerce and organisations accelerated digital transformation initiatives to make business processes seamless.
Those organisations with highly integrated web applications and mobile apps have been able to ride the economic upheaval caused by the pandemic better than those with a less sophisticated online presence. But web applications are an easy target for malicious actors who wish to penetrate corporate networks, steal data and inject ransomware.
A recent survey of global security decision-makers conducted by analyst firm Forrester reports that web applications are the most common vector attackers use to target IT systems. According to the study, improving application security capabilities and services over the next 12 months is the top priority for 28% of global security decision-makers.
Organisations need to protect internal applications, web-facing applications and external application programming interfaces (APIs) that connect internal applications to the outside world. They need to prevent these external interfaces and web front ends from being compromised and, if an attack is successful, a business continuity policy needs to be in place that determines the level of downtime acceptable to the business.
Secure coding
Too many websites ask users to register a username and password. While security professionals urge people to use different passwords – and web browsers will automatically generate and store a strong password – many people opt for a password that is easy to remember. Often, they will use the same password to authenticate on multiple websites. As such, the user’s password is not only easy to crack, but a hacker may also try to use the same password to target other sites.
The OAuth API is one of the approaches available to websites that want to offer authentication without requiring users to set up a new password. It makes use of Facebook and Google back-end authentication, but the cost of this convenience is that Google and Facebook will share some of the user’s information with the organisation that runs the website.
The Open Web Application Security Project (OWasp) has created a set of guidelines as part of its Application Security Verification Standard. In its recommendations, OWasp advocates using the latest methods for secure user authentication, such as multifactor authentication (MFA), biometrics or one-time passwords. Other recommendations include strong encryption to prevent data loss, access controls, and sanitising and validating user-generated content, such as data the user is expected to type into an input box on a web or mobile app.
The standard stipulates that web and mobile application developers need to implement input validation controls. According to OWasp, 90% of all injection attacks occur because an application fails to check input data properly. Version 4.0.2 of the Application Security Verification Standard states: “Length and range checks can reduce this further. Building in secure input validation is required during application architecture design sprints, coding, and unit and integration testing.”
In effect, application developers need to write code in a way that prevents rogue input data from being used as an attack vector. In an injection-style attack, carefully crafted data is used to cause an error that makes the application execute the data as another program. Such an attack can be prevented if the programmer writes the software to handle the input data in a way that checks what data it expects. For example, if it is expecting a number, it should reject anything that does not make sense. Similarly, addresses and dates of birth have standard formats, which can be checked.
One of the many challenges programmers face in trying to write secure code that prevents injection-style or buffer overflow attacks is the fact that modern software development is highly heterogeneous. “If you really want to stop them, you need to make it impossible to write a buffer overflow or injection attack,” says Owen Wright, managing director of assurance at Accenture.
But, while most software used to be hand-coded, Wright says modern software development methods draw heavily on third-party frameworks, libraries and integration with cloud services. Those provided by large commercial providers may have significant teams dedicated to secure coding, he says, but “some well-used open source libraries are maintained by just one or two people [and] everyone relies on them and assumes [they are] well maintained”.
Beyond coding, Wright notes that organisations are starting to adopt a “shift left” approach to IT security, where developers take more responsibility for producing secure code. “Developers are not taught with a security mindset – they are developers first,” he says. “Organisations should focus more on security awareness.”
But there is a constant tension between speed, cost and quality. Wright believes that moving to a DevSecOps model for software projects encourages developers to fix problem code sooner than they would if reliant on penetration testing once the application has been submitted. This is one of the tenets of shifting the responsibility of secure coding left, back to the developer.
In Wright’s experience, this is a lot less expensive than fixing security errors later in the software development lifecycle. He suggests organisations should create templates for securing applications that can then be deployed on subsequent projects.
Protecting web applications
Application layer attacks, which are also known as Layer 7, or L7, attacks, try to overload servers by sending legitimate HTTP requests continuously.
According to internet infrastructure giant Cloudflare, the underlying effectiveness of most distributed denial of service (DDoS) attacks comes from the disparity between the volume of resources it takes to launch an attack relative to the volume of resources it takes to absorb or mitigate one. It says an application layer attack creates more damage with less total bandwidth.
For instance, if a user wishes to access a web-based service, say Gmail, or make a web-based transaction on an e-commerce site, the server receives a request from client software running on the user’s browser or device and must then make a database query or call up an API to fulfil the user’s request.
Cloudflare notes that a denial of service-style attack takes advantage of the fact there can be a disparity in the ability of the server to complete this task when many devices target a single web property. “The effect can overwhelm the targeted server. In many cases, simply targeting an API with a Layer 7 attack is enough to take the service offline,” it warns in an article looking at application-level security.
Gartner’s Magic Quadrant for web application firewalls report, published in October 2020, predicts that by 2023, more than 30% of public-facing web applications and APIs will be protected by cloud web application and API protection (WAAP) services. By 2024, Gartner expects that most organisations implementing multicloud strategies for web applications in production will use only cloud WAAP services.
Public cloud WAFs
Gartner’s Magic Quadrant for web application firewalls report names Akamai and Imperva as “leaders” in the web application firewall (WAF) arena.
Cloudflare, Fortinet, F5 and Barracuda make up Gartner’s “challenger” quadrant. Along with the two leaders, these companies tend to be on the shortlist when IT decision-makers are looking at their options in the WAF market.
DDoS protection service provider Radware and WAF startup Signal Sciences make Gartner’s “visionary” quadrant, recognising the innovative use of technology in their product offerings. Gartner notes that Radware uses machine learning in its web application firewall to combat threats, while Signal Sciences is focused on securing cloud-native applications.
Public cloud providers also offer web application firewall capabilities as part of their platforms. However, both Microsoft Azure and Amazon Web Services (AWS) are regarded as “niche” players by Gartner.
For instance, the Magic Quadrant report notes that the AWS WAF provides basic bot protection through the AWS-provided managed rule set and infrastructure protection capability. However, the report’s authors warn that AWS WAF lacks many application-specific, advanced bot protection features found in competitors’ products, such as device fingerprinting, user behaviour detection and JavaScript challenges.
Looking at Microsoft’s offering, Gartner says Azure WAF is being made available in more Azure regions. The report highlights Microsoft’s work to integrate Azure WAF with other Azure services. As an example, Gartner notes that Azure WAF now natively integrates with the Azure Kubernetes Service ingress controller for the protection of microservices, can send events to Microsoft’s Azure Sentinel for integrated monitoring, and makes better use of Microsoft technical infrastructure to block known bots.
The Gartner report also mentions new capabilities in Google’s Cloud Armor WAF and DDoS mitigation service, which is available on Google Cloud Platform (GCP). The report’s authors say Google has added “useful features”, such as IP control lists and geo-IP filtering, predefined rules for cross-site scripting (XSS) and SQL injection (SQLi) blocking, and custom rule creation. According to Gartner, Google is showing signs of willingness to expand its capabilities.