eBook WILD KINGDOM: The Need for a Web Application Why Defense of Web Applications Require Many Hands

WILD KINGDOM: THE NEED FOR A WEB eBook1 Contents

3 Executive Summary 4 Dangers of the Wild, Wild Web 5 Costs and Burdens of a Sophisticated Web 6 The Nature of Web Attacks and their Perpetrators 6 Attacks on Web Applications Come in an Assortment of Flavors 8 Sadly, Internal Resources Are Not Enough 9 Web Application Firewalls 10 Seven-Layer Strategic Defense 11 Living and Working in the Wild 12 About Yottaa eBook

Executive Summary

The Internet is an ecosystem filled with predators, built on a platform that was never designed for the level of complexity it has reached. The sophisticated applications that now reside online have given rise to a class of equally sophisticated criminals ready to exploit every weakness.

As companies build beyond their firewalls, employing web applications to increase accessibility, scope, and functionality, a new generation of attackers is chasing after them. This creates the need for multi- layered defense.

Organizations may believe they can handle these multifaceted attacks on their own, as they may have in the past. But it has become nearly impossible to fend them off, and often ends up being a waste of the time and talent of security personnel to attempt a fully in-house security effort.

It is not enough for companies to be aware of the dangers. In fact, companies should behave as if they have already been compromised, and should deploy a range of up-to-date tools to protect everyone and everything connected to them and their systems. Protection is a multilayered, multi-player strategy, a battle best fought with knowledgeable partners.

This eBook will review the current landscape of web , and cover in particular web application firewalls, one of the key tools in the fight for security. Finally, we will discuss Yottaa’s approach and viewpoint on security.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 3 eBook

Dangers of the Wild, Wild Web

The web ecosystem can be a hostile place, in some ways a mirror of the natural world. In the wild, each creature must protect itself against numerous and varied forms of attack. There are predators every- where – some large and some tiny, some obvious and some hidden, some lightning fast and some slow and persistent. Some of these creatures seek to devour and destroy, while others try to latch on as parasites, absorbing the energy of their hosts for their own benefit.

It might seem dramatic to compare the online world to a natural one. But in the connected digital world, everything – a commercial website, an email address, server, port, or even a keyboard – can come under attack from an increasing collection of clever and resourceful predators. Business that was formerly conducted in-house on computers with rudimentary intranets now takes place across multiple levels – in the cloud, outside of traditional firewalls, and through applications and scripts operated by third parties. This growth in complexity has set the stage for new forms of attack.

The attacked assets extend beyond a company’s website or e-commerce components as well. Most organizations offer or use rich media, software-as-a-service (SaaS), or cloud computing as part of their offerings in an effort to increase productivity for employees and ease of access for the end customer. Anywhere there is an increase in access to or use of the open Internet, there’s a corresponding increase in surface area for potential attack.

What’s more, although web applications are often located outside a company’s firewall, they often remain directly connected to the core IT infrastructure. Consequently, threats to web applications become direct and immediate threats to the organization and everyone connected to it. Customers and suppliers could lose data, money, or reputation when a company is attacked. For the business itself, it can translate into substantial economic damage: $3.8 million on average per according to the Poneman Institute.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 4 eBook

Costs and Burdens of a Sophisticated Web: How We Got Here (or Why You’re Part of the Problem)

Nearly all websites today can be considered “web apps,” as they’re far The average more complex and interactive than the static pages of years past. Most webpage now organizations, including those with an e-commerce component, in- includes:1 corporate a number of third-party integrations to connect with social media, transact commerce, and provide the dynamic functionality that customers expect. That means different types of independent software can run through a live application, interspersed with alien 19 code. Separate Domains The result of this change is that modern security concerns are not limited to traditionally guarded apps like online banking portals. The increased complexities of even the most simple web communication chains expose new vectors for attack, including penetrating defenses 21 circuitously by way of a third-party script, rather than attacking them JavaScripts directly.

What’s more, in-house security teams and developers face a huge burden in the pace of development, as they push releases weekly, daily, or sometimes hourly or continuously. This forces them to focus their 55% full attention on simply keeping up – not on whether their code is safe or up to internal standards. of retail sites are vulnerable every single day The significant challenge of fending off attacks on all this new code of the year 2 is compounded by lacking control over or access to third-party code, and legacy code that’s too unwieldy or outdated to secure effectively. Developers can only secure what they can touch, and the problem may literally be out of their hands. As a result, adequate defense against attacks to web applications may be achieved only through trusted independent services that are highly adaptable.

1HTTP Archive http://httparchive.org/trends.php 2Website Security Statistics Report 2015, WhiteHat Security

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 5 eBook

The Nature of Web Attacks and their Perpetrators

Highly motivated people work tirelessly to exploit any available weak- ness found in lines of code or in human behavior. In some cases, the motivation is vandalism, thrill seeking, or mischief. Others seek to eliminate a competitor by paralyzing its website or using it as a spring- board towards larger, richer targets. In many cases, however, it is data they are after. Attackers are often big businesses – digital organized crime – that earns millions of dollars (or the BitCoin equivalent) on the black market for those who resell email addresses, credit card infor- mation, names, and other vital data.

Web attacks are a permanent threat to the safe functioning of organizations and companies. They are human-made, as opposed to mechanical failures or external challenges like floods or solar flares. Omnipresent, they strive to overcome every system through relent- less innovation and persistent application.

Attacks on Web Applications Come in an Assortment of Flavors One of the most famous types of attacks is the Distributed Denial of Service (DDoS), in which an unmanageable number of web page requests are fired at a web application from many anonymized sources. The web application or website slows to a crawl or crashes, unable to keep up with the bombardment. A slow and low attack (also named Slowloris, after its software) acts in a similar fashion but, instead of sending a large number of requests, it sends a smaller number, each of which “holds a line open” indefinitely – like keeping a customer service agent on the line for hours without saying anything. Another type of attack involves inserting malicious code into form fields that most honest people would see as credit card number or address fields. This is known as SQL injection.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 6 eBook

These are just three of the hundreds of existing attack techniques, and Top vulnerabilities more arrive all the time. Any security system seeking to construct an for 2014, by likeli- adequate, up-to-date defense needs to understand each attack route. hood of presence It must be able to defend against each in context, since some mitigation 3 steps will work for some threats, but not for others. Attempting to on a given website: defend against everything at once could do more harm than good, slowing performance, delaying legitimate page requests, and muddying the system.

For an illustration of the challenge, let’s look at some of the top flaws. The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to the safety and security of the world’s software. One of its best-known publications is the OWASP Top Ten, a summary of the ten most critical web application security flaws. The 70 list analyzes these flaws for damage potential and the degree of % work required to rectify the problem. The current top ten are:

56 A1 – Injection % 47 A2 – Broken and Session Management % A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control Information leakage Insufficient transport Insufficient transport protection layer Cross-site scripting A8 – Cross-Site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards

Each of these ten flaws is severe enough to allow attackers to take over a site, and two of these, A5: Security Misconfiguration, and A9: Using Components with Known Vulnerabilities, are out of scope. They cannot be rectified with normal procedures or tools.

In other words, an internal security team will have its hands full trying to figure out what to do with A5 and A9 problems. When an entire

3Website Security Statistics Report 2015, WhiteHat Security

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 7 eBook

“We’re too small; we’re too team is working on just two of the ten flaws, it leads to exposure on busy” - the peril of excuses many other fronts. Focusing solely on these two items distracts the Disaster preparedness may not be a team from the other challenges inherent in keeping a network and comfortable subject, and those who business safe. are in charge of budgets and alloca- tion of preventative measures often prefer to adopt an “it will never hap- Sadly, Internal Resources Are Not Enough pen to us” attitude in order to save The bottom line is that there are too many new types of attacks for an money. However, no company is too small or insignificant for an attack. internal team to manage, and it becomes a matter of cost efficiency and resource allocation. An art gallery, for example, might seem like an unlikely target, but it has membership data, credit card It’s never welcome news to learn that criminal activity and viruses information, and other items of value, created by outside agents can only be fought by other outside agents, both digital and physical. Even the but this is largely true, due to the need for the type of specialization smallest business – self-employed or that these experts can provide. They make it their primary home-based – can have data con- responsibility to stay on top of every new development in a growing nections to larger companies (clients and suppliers), and can unwittingly industry, and have a solution at the ready. Internal security teams may operate as part of a larger heist. be equally talented, but they often face a permanent backlog of internal issues that push real-time access further down the pile. Unfortunately, Moreover, are always on response to sophisticated modern web attacks cannot be delayed. the job. There is no downtime for them. It’d be a grave mistake to let time slip by and find yourself in your busy season, occupied with running your business, without having the necessary precautions for security. IT, development, and DevOps teams burdened with scaling up infrastructure and prepping an app before a code freeze are less likely to be doing the due diligence of code reviews and vulnerability assessments.

The goal should be to be fully-armed at all times. Enterprises must operate under the assumption that they have been compromised, and not assume they are maintaining a solid border. The web and its modern architec- tures are permeable membranes. Organizations have to understand where vulnerabilities exist, and how to mitigate, not eliminate breaches.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 8 eBook

Web Application Firewalls

A web application firewall (WAF) is a modern option available to build the kind of security needed to face down these attacks. Two reasons a WAF is valuable:

• It can cover the entirety of the application no matter what party supplies the code (i.e. it helps protect vulnerabilities like a third-party plugin or a social media widget) • It enables you to respond much faster to discovered vulnerabilities, especially zero-day vulnerabilities, either from a third-party or in your own application

A web application firewall is a server plugin or filter that inspects and applies a set of rules for requests sent across the Internet via the hypertext transfer protocol (HTTP/S), which acts as the foundation for all web-based data (like web pages). HTTP was not originally designed for today’s sophisticated uses, like e-commerce, complex scripts, and high-speed media. As a result, it is the starting place for much vulner- ability. Rules and barriers are established by a web application firewall to defend against common attacks, including cross-site scripting (XSS) and SQL injection. Because these are virtual, they are also customizable. A web application firewall exists on the edge of the Internet and can intercept malicious activity, rather than waiting for it to infect the body of a company’s main server and core IT infrastructure.

Most businesses use some form of protection, like blocking IP addresses at the router, or a firewall to identify basic injection or XSS attacks. But WAF technology extends much further. A smaller, but growing, percentage of companies are utilizing a WAF for advanced detection that can cover the more easily bypassed filters of traditional firewall configurations. A WAF can understand the logic of your application, sensing when things are amiss in the flow of requests and responses flowing through, even when they’re well disguised.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 9 eBook

Seven-Layer Strategic Defense

Yottaa plays a strategic role in defending its clients’ online interests, but it will be the first to say their service is not, nor should be, the entire solution. Instead, it offers a vital component of web application security – a globally distributed, layer 3 through 7 web application firewall, providing real-time append data protection, origin shielding, and DDoS mitigation.

“It’s advantageous to have multiple areas of defense, especially with cloud architecture,” says Ari Weil, VP of Marketing and Business Development, “We’re a great front-end defense. We are a very strong filter for complex and distributed web apps.”

The Yottaa approach is a platform for optimizing web applications that includes a WAF and CDN delivery. It applies scalable, in-depth context intelligence on the principle that if one layer cannot stop the threat, another layer can. It also operates on the principle that it is better to apply some defenses first, and hold back on others.

The seven layers are: 1. Allowing traffic only on web ports: Legitimate web traffic should only arrive over ports 80 (HTTP) and 443 (HTTPS). All other ports are blocked.

2. Geo-based blocking: This involves scanning the traffic on ports 80 and 443 by geographic location. This helps filter out calls from areas where a customer does not expect legitimate traffic.

3. Validating against a blacklist: Yottaa’s CDN has a global infrastructure that enables them to build and maintain a comprehensive list of known bad actors and block them accordingly.

4. Determine what is cached and what is not: In threat mitigation, requests for static (cached) content are allowed, allowing mitigation resources to be focused on responding to requests for dynamic content.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 10 eBook

5. Global distribution, in-line, always on, at the edge of the Internet: The best place to respond to many forms of attack is at the edge of the Internet, essentially engaging, dispersing, and/or neutralizing the enemy outside the castle moat.

6. Rate controls: Neutralizing slow and low attacks by tweaking the number of requests allowed through.

7. Web Application Firewall Rules: At this final layer, context intelligence asks verification questions to identify whether requests contain keywords that could indicate an injection style attack, and whether they appear to be coming from bots rather than humans.

Living and Working in the Wild

No one can completely tame the wild nature of the public Internet. There will always be predators and evolution, and it will forever remain a moving target.

The best strategy is an agile and constantly evolving defense. For now, that means a web application firewall coupled with on-premise security measures, and a strong institutional focus on security across development, IT, and operations.

WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 11 eBook

About Yottaa Yottaa is a SaaS solution to manage, optimize and secure digital experience delivery.

Yottaa accelerates online and mobile performance, maximizes end user engagement, and delivers instant, actionable insights to drive business results via an intelligent, automated cloud platform. Our ContextIntelligenceTM platform is purpose-built to deliver the power and flexibility required by IT organizations to exceed SLAs for uptime, performance, scalability and security, paired with patented technologies that accelerate the delivery of innovative features and products to improve online and mobile channel execution.

For more information, please visit

WWW.YOTTAA.COM

If you’d like to discuss this paper, or meet with one of our experts to help you expand upon this topic, please feel free to send an email to [email protected], or contact us toll free in the USA at 1-877-767-0154.

International customers can reach us at +1-617-896-7802. For more details, visit www.yottaa.com

12