Attackers Are Thinking About Your Application Layer Security. Are You?
*This article was originally published on Forbes.com on Sept. 21, 2017
Chances are the recent headlines about high-profile data breaches resulting from web application vulnerabilities have given you a reason to rethink your Layer 7 protection. And if not, you should.
Attacking web applications has become a favorite tactic of hackers. The rise of cloud technologies, ubiquitous internet of things (IoT) devices, and software-defined infrastructures are powering digital transformation, creating tremendous opportunities and advantages for organizations of all kinds. Unfortunately, this evolution of the modern enterprise has created precarious interdependencies and security gaps which make it easier to exploit vulnerabilities in the application layer.
Factor in the lucrative trove of data to be gleaned from one successful breach and you’ve got a cyber attacker's dream come true.
Using a Web Application Firewall (WAF) can prevent attacks that take advantage of web application security flaws like SQL injections, cross-site scripting, and security misconfigurations. If you’re bound by PCI DSS compliance or other security industry regulations, you’re probably already using a WAF or complying internally with PCI requirements. But not all WAFs are created equal. And if, like most organizations, you’re grappling with how to protect against zero-day vulnerabilities, prevent data loss and exfiltration AND reduce security costs at the same time, here some key considerations to keep in mind when evaluating a WAF.
1. Performance against threats
Today, your online presence is expected to thrive, not just survive during cyber attacks. When you’re under attack, every second counts and you need to neutralize threats fast, without reducing network performance and without impacting your customers’ experience. The best WAF solution will enhance your response time – not drag it down – and can more quickly stop application layer attacks before they can penetrate, disrupt, or devastate your business operations and brand reputation.
Some WAFs only work if you purchase the provider’s Content Delivery Network (CDN), which, in addition to the extra costs, can also require numerous configuration changes, bogging down your internal DevOps and infrastructure resources. Most WAFs require a LOT of care and feeding, which demands expensive expertise and maintenance costs. To make matters worse, some WAF providers require that you purchase a new SSL certification, even if you already have one.
3. Application Compatibility
Not every WAF provider is cloud, hardware or CDN agnostic, and chances are, your applications live across two or more of these platforms today. Choosing a provider that limits or restricts your current application strategy with their solution can leave you exposed and bring upon numerous manageability issues when it comes to your application security.
Compliance and dependability are everything in cybersecurity. When trying to determine which WAF service is right for you, check to see if the provider meets the PCI Security Standards Council requirements. Doing the legwork on compliance research early on will not only ensure that your WAF is reliable, but it’ll also provide you peace of mind from liabilities, penalties, and alleviate the burden on some of your in-house resources from PCI required manual reviews and hardware deployments.
5. Layered Protection
The more barriers that you can put between the bad guy and your treasure, the better off you are. You can optimize the impact of your protection (and likely your budget) by pairing your WAF solution with the same vendor that provides your DDoS security. The combination of WAF and a DDoS mitigation service – keeping in mind that not all WAFs are capable of stopping DDoS attacks – provides the best chance at fending off not only bot-based volumetric DDoS attacks, but also threats against the application layer, such as SQL, XSS, CSRF, session hijackers, data exfiltration and zero-day vulnerabilities.
As the incessant stream of bots and breaches continue to grow larger and more frequent, it’s important to reassess your integrated security strategy. Adding the layered protection of a WAF to your current defenses not only helps to fend off exploits but helps to ensure you aren’t the next one making headlines.