DOCSLIB.ORG

Protecting Web Applications and Apis from Exploits and Abuse

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protecting Web Applications and Apis from Exploits and Abuse This research note is restricted to the personal use of [email protected]. Protecting Web Applications and APIs From Exploits and Abuse Published: 24 April 2019 ID: G00383318 Analyst(s): Frank Catucci, Michael Isbitski, Ramon Krikken Web applications, mobile applications and web APIs are subject to increasing volumes and complexity of attacks. Security and risk management technical professionals responsible for application security architecture must use an appropriate mix of mitigating technologies to secure applications. Key Findings ■ Automated attack and abuse patterns have evolved, making firewalls and intrusion detection and prevention systems ineffective. Web application firewalls and API gateways only provide a partial solution. Bot mitigation capabilities can help by addressing the growing number of abuse scenarios. ■ Product categories, such as runtime application self-protection and application shielding, are emerging to fill gaps in application and API security. They can provide exploit mitigation, abuse mitigation and access control capabilities at different layers of an overall system implementation. ■ Modern application design and architectures affect edge and inner architecture defenses. A subset of protections and respective placement closer to workloads are beneficial, if not necessary, in protecting these modern architectures from attacks. Recommendations Security and risk management technical professionals focusing on security of applications should: ■ Identify integrated capabilities in existing solutions, emphasizing a cloud-first approach for flexibility and favoring security as a service over virtual appliances. Use strong exploit prevention and access control capabilities — security SDKs, WAFs or RASP for exploit prevention, and API gateways — for API access control and management. ■ Deploy integrated capabilities or dedicated solutions, DDoS protection, and bot mitigation based on expected levels of application and API abuse, as well as desired level of configurability. This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. ■ Deploy protections for inner architecture to increase defense capabilities and resiliency against attacks by using API microgateways, container security and cloud workload protection platforms. Table of Contents Comparison........................................................................................................................................... 3 Analysis..................................................................................................................................................9 Selecting the Appropriate Protection Levels......................................................................................9 Selecting the Scope of Protection.............................................................................................10 Selecting Protection Against Denial of Service.......................................................................... 11 Selecting Protection Against Exploits........................................................................................ 12 Selecting Protection Against Abuse.......................................................................................... 13 Selecting Protection Against Access Violations......................................................................... 14 Selecting Protection Against Tampering and Reverse Engineering............................................ 15 Selecting the Right Technology Solutions........................................................................................16 Designing for Architectural Coverage and Flexibility...................................................................16 Choosing On-Premises Versus Cloud-Based Solutions.............................................................17 Balancing Integrated Capabilities and Dedicated Solutions....................................................... 17 Guidance..............................................................................................................................................20 Determine the Required Levels of Protection.................................................................................. 20 Prioritize the Use of Cloud-Based Security Services........................................................................21 Start With Integrated Platform Capabilities for Broad Coverage...................................................... 21 Add Dedicated Solutions for Specific or Additional Protection.........................................................22 Edge and Inner Architecture Protection Considerations.................................................................. 22 Details.................................................................................................................................................. 23 Categorizing Attacks Against Web Applications and Web APIs.......................................................23 Denial of Service.......................................................................................................................23 Exploits.....................................................................................................................................24 Abuse.......................................................................................................................................24 Access Violations......................................................................................................................25 Tampering and Reverse Engineering.........................................................................................26 Defining Automated Threats........................................................................................................... 26 Multifactor and Out-of-Band Authentication....................................................................................29 Application Security Capabilities to Address the Attack Categories.................................................29 API Gateways...........................................................................................................................29 Page 2 of 41 Gartner, Inc. | G00383318 This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. Application Shielding and Application Wrapping........................................................................30 Bot Mitigation........................................................................................................................... 31 DDoS Protection.......................................................................................................................32 Runtime Application Self-Protection..........................................................................................33 Web Application Firewalls......................................................................................................... 35 Reusing Open Source to “Build Your Own”.....................................................................................37 Gartner Recommended Reading.......................................................................................................... 40 List of Tables Table 1. Effectiveness of Application Security Controls in Addressing the Five Attack Categories............ 7 Table 2. Architecture Components and Possible OSS or BYO Options................................................. 39 List of Figures Figure 1. Comparison of Application Security Control Components........................................................ 5 Figure 2. Determining the Appropriate Levels of Protection...................................................................10 Figure 3. Example Platform and Dedicated Solution Options................................................................ 18 Comparison Web applications, mobile applications and web APIs are subject to increasing numbers and complexity of attacks. Organizations must consider several factors when planning and implementing protections, including: ■ Public, limited-access external and internal applications and APIs require different levels of security. ■ No one capability covers all types of attacks. ■ No two capabilities have interchangeable protection efficacy. ■ Some of the capabilities have strong overlaps in addressing specific attack subcategories. ■ Enforcement of policy may be centralized or distributed (for example, use of API microgateways). As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach and tailored to the architecture that must be protected. Gartner, Inc. | G00383318 Page 3 of 41 This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. Security teams should use the comparison to decide which solutions will provide their organizations’ applications and APIs with the right level of protection. Not all organizations or their applications are subject to the same level of threats and attacks, and application architectures will vary. To clearly understand the differences between capabilities, Gartner splits attacks on web and mobile applications and web APIs into five categories: ■ Denial of service (DoS) is a specific type of attack where the attacker’s
Load more

Recommended publications
  • Annual Report 2018 2 Annual Report 2018
    ANNUAL REPORT 2018 2 ANNUAL REPORT 2018 ACCELERATING GROWTH PLAYING BY THE NEW RULES: IN THE DIRECT BRAND DATA GOVERNANCE, ECONOMY REVOLUTION ETHICS, AND LEGISLATION et’s not mince words: 2018 was a year of We see no reason to believe this direct brand ata is to the 21st century what capital massive disruption by any measure—and all economy will slow down, let alone go into reverse. This was to the 20th century. If you doubt that, Lsigns point to this disruption accelerating in “stack-your-own supply chain” is now so advanced and Dconsider this: In 2018, American companies 2019 and beyond. so embedded in the economy that the trends we’ve spent nearly $19.2 billion on the acquisition of For over a century, dominant consumer-facing seen for the past decade will only accelerate. audience data and on solutions to manage, process, companies created value through their ownership and and analyze digital audience data—a figure that operation of high-barrier-to-entry, capital-intensive It also represents an incredible represents a staggering 17.5 percent increase supply chains. The most successful companies owned opportunity for those who understand from the prior year (State of Data 2018 Report, outright or had significant control over every major the power of interactive media in this Winterberry Group, IAB). function within their supply chain, from the sourcing of new world order. This is the current data landscape—and the raw materials to the ownership of their factories and elephant in the room. warehouses, to the railway cars and trucks that got Digital advertising—whether display, search, or Our industry is at the center of a seismic change If you don’t have consumers’ trust, their goods to market.
    [Show full text]
  • Annual Report 2017 Iab Annual Report 2017
    ANNUAL REPORT 2017 IAB ANNUAL REPORT 2017 dynamic creative powerhouses apply their storytelling expertise to build marketers’ brands. Similarly, the 2017 IAB Leadership Dialogues were a first-ever Building 21st Century Brands: series of discussions with transformative leaders in business, politics, economics, and technology to gain The Race to the New Economy insights from and debate critical industry, political, and economic issues with each other. A cross-screen economy requires new standards and ife in America in 2017 was lived inside a series a time. These direct brands—as well as the incumbents guidelines to grow the marketplace, and IAB and the of paradoxes, all of them balanced on one side that join their club—are the growth engine of the new L IAB Tech Lab introduced the completely revamped by the ongoing economic boom, characterized by brand economy. IAB Standard Ad Unit Portfolio, featuring dynamic a bull market now in its 10th year. We had political more than 14,800 digital media professionals Adapting to this new landscape is not optional either: ads that allow for flexible creative on a multitude turmoil … and economic boom. Populist revolt … have advanced through the IAB Certification Two-thirds of consumers now expect direct brand of screen sizes and resolution capabilities and that and economic boom. Immigration mania … and Programs and Professional Development initiatives. connectivity. puts user experience front and center. Another major economic boom. Media disruption … and economic accelerator for growth is a trustworthy supply chain. An emerging economy and fast-changing media boom. Retail apocalypse … and economic boom. THE WORLD HAS SHIFTED FROM AN A major initiative for the Tech Lab in this area was INDIRECT BRAND ECONOMY TO A landscape also requires an active eye on policy, and In the digital media and marketing industries, we DIRECT BRAND ECONOMY.
    [Show full text]
  • 1 Navigating Advertising's New World Order
    President’s Report November 4, 2016 Navigating Advertising’s New World Order By Randall Rothenberg As we head into the last weeks of 2016, it has become abundantly clear that user experience is the grand opportunity that stands in front of us—and it is also the great crisis of our time in the marketing and media industries. Our unbridled infatuation with new technologies and our desire to drive costs as low as possible—regardless of the consequences—have contributed to a form of consumer abuse in digital advertising. By neglecting a founding mantra of the internet—“the consumer is in control”—we have contributed to making the very concept of advertising a pariah among the consumers we serve. Frustrated consumers have responded by adopting ad-blocking software at alarming rates. Nowhere was this new tension more on display than at this year’s IAB MIXX conference which featured some of the most powerful digital content we’ve seen in years—and highlighted the challenges and opportunities our industry faces. The theme of the MIXX event was “Advertising’s New World Order,” acknowledging both the innovation and chaos seen on every platform, as well as consumers’ demand for more original, personal, and provocative experiences. We’re confident there is a way forward that will keep us on the path toward opportunity. At IAB, our efforts on our members’ behalf are all in support of navigating this new world order. Among the biggest efforts underway, we announced and released for public comment a complete overhaul of the IAB Standard Ad Unit Portfolio.
    [Show full text]
  • Telstra Ventures in the Digital Age 2
    Connecting the dots Telstra Ventures in the Digital Age 2. Backing Winners Telstra Ventures Telstra Ventures is a strategic growth investor in lighthouse technology companies that are commencing scale. We provide venture capital investment via a “Strategic Growth Investment” approach. This approach offers entrepreneurs access to genuine revenue growth beyond the investment itself and shortens the time to reach global scale. We support this growth through investment capital and leadership. Our heritage combined with our association with Telstra and its capabilities help accelerate growth for the entrepreneurs in our portfolio. In almost a decade we have invested over $250 million in over 60 companies, generated more than $150+ million in revenue for our portfolio companies and managed 13 liquidity events. We are backed by our strategic investors Telstra, one of the 20 largest telecommunications providers globally and HarbourVest, one of the world’s largest private equity funds. Back 2 Next 3.2. OurBackingVentures Winners What we look for We focus on high-growth opportunities that are strategically aligned to Telstra customers and partners Based in SiliconValley, Led by proven entrepreneurs Australia and the Asia who have successfully built Pacific region and sold companiesbefore Offer world-class Are later stage innovation with bestof venture capital /growth breed technologies / equity investments products / services Back 3 Next 3.2. OurBackingVentures Winners Where we invest Reflecting our customers’ priorities and our existing solution suite, areas of interest at the moment include cloud,mobile and media. We typically invest between $5M and $50M in established business that have already won millions of dollars in existing revenue.
    [Show full text]
  • FASTLY, INC. (Exact Name of Registrant As Specified in Its Charter) ______
    UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 ____________________________ FORM 10-K ____________________________ ☒ ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 For the fiscal year ended December 31, 2020 or ☐ TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 Commission File Number: 001-38897 ____________________________ FASTLY, INC. (Exact name of registrant as specified in its charter) ____________________________ Delaware 27-5411834 (State or other jurisdiction of (I.R.S. Employer incorporation or organization) Identification Number) 475 Brannan Street, Suite 300 San Francisco, CA 94107 (Address of principal executive offices) (Zip code) (844) 432-7859 (Registrant's telephone number, including area code) Not Applicable (Former name, former address, or former fiscal year, if changed since last report) ____________________________ Securities registered pursuant to Section 12(b) of the Act: Title of each class Trading Symbol(s) Name of each exchange on which registered Class A Common Stock, $0.00002 par value FSLY The New York Stock Exchange Securities registered pursuant to Section 12(g) of the Act: None Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No ☐ Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes ☐ No ☒ Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
    [Show full text]
  • Varnish Cache a Technical Guide to Getting Started with Varnish Cache and VCL
    Varnish Cache A technical guide to getting started with Varnish Cache and VCL 101 prepared by Section Table of Contents Basics Of Varnish Cache 04 Where Varnish Cache Sits The Varnish Cache Flow Varnish Cache and HTTPS What Content To Cache With Varnish Cache 06 Static vs Dynamic Content Understanding Varnish Cache Configuration Language 07 VCL Sub-routines VCL Syntax Caching For Your Application With VCL 12 Caching Statistics Cookies and UTMs Cache-control and Time To Live Caching Dynamic Content Caching the full HTML document Methods for caching around personalization Extending Varnish Cache Capabilities Options To Install Varnish Cache 19 Open Source Varnish Cache Varnish Software Edge Compute Platform Measuring Success In Varnish Cache 22 How to Monitor Varnish Cache Using Logs to Debug What Metrics to Look At Varnish Cache Deployment Checklist 24 How To Install Varnish Cache 25 Quick Varnish Cache Install Detailed Installation Recommended resources Varnish Cache is a Trademark of Varnish Software AB. Where the term Varnish Cache is used in this document we refer to the open source project found at https://varnish-cache.org/ © Section 2019. Varnish Cache Technical Guide 2 Introduction Varnish Cache is a reverse proxy for caching HTTP, also sometimes known as an HTTP accelerator. It is most often used to cache content in front of the web server - anything from static images and CSS files to full HTML documents can be cached by Varnish Cache. The key advantages of Varnish Cache are it’s speed and flexibility: It can speed up delivery of content by 300-1000x, and because of the flexibility of its domain specific language, Varnish Configuration Language (VCL), it can be configured to act as a load balancer, block IP addresses, and more.
    [Show full text]
  • November 2017 M&A and Investment Summary
    November 2017 M&A and Investment Summary Table of Contents 1 Overview of Monthly M&A and Investment Activity 3 2 Monthly M&A and Investment Activity by Industry Segment 9 3 Additional Monthly M&A and Investment Activity Data 41 4 About Petsky Prunier 55 Securities offered through Petsky Prunier Securities, LLC, member of FINRA. This M&A and Investment Summary has been prepared by and is being distributed in the United States by Petsky Prunier, a broker dealer registered with the U.S. SEC and a member of FINRA. 2 | M&A and Investment Summary November 2017 M&A and Investment Summary for All Segments Transaction Distribution . A total of 554 deals were announced in November 2017, of which 291 were worth $25.0 billion in aggregate reported value • November activity is highlighted by 39 reported Private Equity transactions, the second largest monthly total of the year . Software was the most active segment with 198 deals announced — 121 of these transactions reported $6.0 billion in value . Digital Media/Commerce was also active with 114 transactions announced, of which 75 were worth a reported $6.7 billion in value . Strategic buyers announced 242 deals (39 reported $11.6 billion in value) . VC/Growth Capital investors announced 273 transactions (244 reported $8.4 billion in value) . Private Equity investors announced 39 deals during the month (seven reported $5.0 billion in value) November 2017 BUYER/INVESTOR BREAKDOWN Transactions Reported Value Strategic Buyout Venture/Growth Capital # % $MM % # $MM # $MM # $MM Software 198 36% $6,047.7
    [Show full text]
  • Mobile Smart Fundamentals Mma Members Edition February 2016
    MOBILE SMART FUNDAMENTALS MMA MEMBERS EDITION FEBRUARY 2016 messaging . advertising . apps . mcommerce www.mmaglobal.com NEW YORK • LONDON • SINGAPORE • SÃO PAULO MOBILE MARKETING ASSOCIATION FEBRUARY 2016 REPORT Location It was standing room only at our March 24th MMA Mobile Location Leadership Forum in NYC! Interesting and of note largely because half that audience were marketers, a very different demographic from what we’d have expected just a year ago. We’re seeing more and more brands integrating location as core not only to their mobile strategy, but to their overall marketing strategies. This was clearly evidenced by the use cases presented on stage by brands including Allstate, Brown-Forman, GlaxoSmithKline, Heineken, Macy’s, PepsiCo and Sears Hometown and Outlet Stores. Common threads throughout the day included managing the tech stack to successfully collect, integrate and use all 1st and 3rd party data and managing consumer privacy and permission. Plus a number of references to navigating the Mobile LUMAscape, which, unsurprisingly got a quick response from all the marketers in the audience. Whilst the industry, the MMA and it’s partners have more to do to help amplify and clarify the use of location marketing, the opportunities to leverage this unique attribute of mobile are becoming clearer to all marketers. I’d encourage you to check out the great work the MMA’s Location Committee is doing and to get involved where possible, whether that’s getting engaged as a committee member, attending our events and webinars, or simply reaching out to share your feedback on what we can be doing to help support growth in the industry.
    [Show full text]
  • View May 2014 Report
    MOBILE SMART FUNDAMENTALS MMA MEMBERS EDITION MAY 2014 messaging . advertising . apps . mcommerce www.mmaglobal.com NEW YORK • LONDON • SINGAPORE • SÃO PAULO MOBILE MARKETING ASSOCIATION MAY 2014 REPORT The MMA Drumbeat It’s been an exciting six weeks since our re-launch at the NY Education Forum, on May 6th. Our goal since that re-launch date has been to create a steady drumbeat focused around new programs and changes that align to our new innovation and marketer first mission. With that in mind, I thought I’d provide a quick recap of some of the changes that our MSF readers and members will have experienced and benefitted from during that period. The Smarties™ Global Awards Program View Website Not only has this year’s program seen the expansion of new regional and country specific programs, but in recent weeks has seen the addition of 3 new categories to complement an already comprehensive line up of over 20 categories, including: Native Advertising, Cross Screen Advertising and Wearables. Their addition showcases the use of mobile to create rich consumer connections and contextual experiences—both key to mobile’s unique value. The 2014 submission deadline is June 30th. The Case Study Hub View Website Launched on May 22nd, this is a comprehensive, fully searchable database representing best in class campaigns that set new benchmarking standards for industry excellence. With 450+ mobile marketing campaign case studies from over 40 countries to review (via member login), The Hub, created through the curation of the MMA’s annual Smarties™ Awards submissions, serves as an inspiration center for the creative and successful integration of mobile as core to a brand’s marketing mix.
    [Show full text]
  • Private Placement Activity Chris Hastings | [email protected] | 917-621-3750 10/30/2017 – 11/03/2017 (Transactions in Excess of $20 Million)
    Private Placement Activity Chris Hastings | [email protected] | 917-621-3750 10/30/2017 – 11/03/2017 (Transactions in excess of $20 million) Trends & Commentary . VC and PE firms have excess sources of funds, largely due to cheap money easing from global central € in Billions banks as well as less demand, stemming from disappointing measures of new business formation. Dry European PE Fundraising powder levels in North American and European PE funds have reached $738.7 billion for 2016, surpassing 120.0 capital overhang levels in 2008. 140 . European PE funds have seen an increase in activity, with €59.5 billion committed to 77 private equity funds through 2017 Q3. Compared to the same period last year, this represents a 40% increase in capital 100.0 114 120 raised. (see figure) 108 100 . Grove Ventures, a venture capital firm in Israel, raised $110 million for a maiden venture fund which 98 96 80.0 100 focuses on early-stage startups centered around IoT, cloud and AI. Grove Venture’s partners come from a 88 variety of backgrounds, ranging from founder of M-Systems, a developer of personal USB storage solutions, to strategic consultant at TASC, an international management consultancy firm. 77 €72.0 80 . Carmel Ventures, an Israel-based venture capital firm, has just rebranded itself as Viola Ventures, and has 60.0 €61.0 €60.0 also hired Omry David and Zvika Orron as partners. Prior to joining Viola Ventures, Omry was an SVP at 60 Goldman Sachs, and Zvika was a co-founder of LifeBeam, a developer of wearable bio-sensing €52.0 instruments.
    [Show full text]
  • 2014 YEAR in REVIEW Growth Equity Valuation Report: B2B Software
    GrowthCap Insights January 2015 Special Edition: Annual Valuation Report .GrowthCap, LLC www.growthcap.co 2014 YEAR IN REVIEW Growth Equity Valuation Report: B2B Software Graybar Building | 420 Lexington Avenue, New York, NY, 10170 Copyright 2014 GrowthCap LLC. +1 (212) 537 0576 All rights reserved. Contents Introduction & Methodology .....................................................................................................................................4 2014 B2B Software Growth Equity Valuations ...........................................................................................................5 a. 2014 B2B Software Growth Equity Valuations (by industry) .........................................................................5 b. 2014 B2B Software Growth Equity Valuations (by capital raised) .................................................................6 Valuation Increases Over Prior Rounds ......................................................................................................................7 a. Valuation Increases Over Prior Rounds (by industry).....................................................................................7 b. Valuation Increases Over Prior Rounds (by days since last funding) .............................................................8 c. Valuation Increases Over Prior Rounds (by capital raised) ............................................................................9 d. Valuation Increases Over Prior Rounds (by year founded) ........................................................................
    [Show full text]
  • Artificial Intelligence Trends 2019 Roundup
    Presented by ARTIFICIAL INTELLIGENCE TRENDS 2019 ROUNDUP March 2019 The artificial intelligence (AI) ecosystem is complex and in a state of constant flux. Though far from perfect, one thing is certain: Many business leaders are already bullish about AI’s ability to improve operations. eMarketer has curated this Roundup of articles, insights and interviews to help you understand the latest trends in AI. TABLE OF CONTENTS 3 Sponsor Message 4 Overview 6 Explain Yourself, AI 7 The AI Terms You Need to Know 9 Making Sense of Large Data Sets Is AI’s Strength 10 Enthusiasm Runs High for AI, but Many Are Still on Learning Curve 12 Why Marketers Use AI for Audience Targeting 13 Successful AI Adoption Requires Clear Strategies 14 Get Your AI House In Order 16 Can AI and GDPR Co-Exist? 17 Retailers and Shoppers Are on Totally Different Pages About Tech 19 How Financial Brands Create Virtual Assistants that Respect Users’ Privacy 21 About this Roundup ARTIFICIAL INTELLIGENCE TRENDS 2019 ROUNDUP SPONSORED BY: 2 SPONSOR MESSAGE Braze is a customer engagement platform that delivers messaging experiences across push, email, apps and more. Braze is set apart as the platform that allows for real-time and continuous data streaming, replacing decades-old databases that aren’t built for today’s on-demand, always-connected customer. The Braze Intelligence Suite is a set of features built to help you answer the what, when, and who of your marketing campaigns by targeting the right customers, selecting the strongest message, and delivering it all at the optimal time for each individual customer, at scale.
    [Show full text]