Protecting Web Applications and Apis from Exploits and Abuse

Protecting Web Applications and Apis from Exploits and Abuse

This research note is restricted to the personal use of [email protected]. Protecting Web Applications and APIs From Exploits and Abuse Published: 24 April 2019 ID: G00383318 Analyst(s): Frank Catucci, Michael Isbitski, Ramon Krikken Web applications, mobile applications and web APIs are subject to increasing volumes and complexity of attacks. Security and risk management technical professionals responsible for application security architecture must use an appropriate mix of mitigating technologies to secure applications. Key Findings ■ Automated attack and abuse patterns have evolved, making firewalls and intrusion detection and prevention systems ineffective. Web application firewalls and API gateways only provide a partial solution. Bot mitigation capabilities can help by addressing the growing number of abuse scenarios. ■ Product categories, such as runtime application self-protection and application shielding, are emerging to fill gaps in application and API security. They can provide exploit mitigation, abuse mitigation and access control capabilities at different layers of an overall system implementation. ■ Modern application design and architectures affect edge and inner architecture defenses. A subset of protections and respective placement closer to workloads are beneficial, if not necessary, in protecting these modern architectures from attacks. Recommendations Security and risk management technical professionals focusing on security of applications should: ■ Identify integrated capabilities in existing solutions, emphasizing a cloud-first approach for flexibility and favoring security as a service over virtual appliances. Use strong exploit prevention and access control capabilities — security SDKs, WAFs or RASP for exploit prevention, and API gateways — for API access control and management. ■ Deploy integrated capabilities or dedicated solutions, DDoS protection, and bot mitigation based on expected levels of application and API abuse, as well as desired level of configurability. This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. ■ Deploy protections for inner architecture to increase defense capabilities and resiliency against attacks by using API microgateways, container security and cloud workload protection platforms. Table of Contents Comparison........................................................................................................................................... 3 Analysis..................................................................................................................................................9 Selecting the Appropriate Protection Levels......................................................................................9 Selecting the Scope of Protection.............................................................................................10 Selecting Protection Against Denial of Service.......................................................................... 11 Selecting Protection Against Exploits........................................................................................ 12 Selecting Protection Against Abuse.......................................................................................... 13 Selecting Protection Against Access Violations......................................................................... 14 Selecting Protection Against Tampering and Reverse Engineering............................................ 15 Selecting the Right Technology Solutions........................................................................................16 Designing for Architectural Coverage and Flexibility...................................................................16 Choosing On-Premises Versus Cloud-Based Solutions.............................................................17 Balancing Integrated Capabilities and Dedicated Solutions....................................................... 17 Guidance..............................................................................................................................................20 Determine the Required Levels of Protection.................................................................................. 20 Prioritize the Use of Cloud-Based Security Services........................................................................21 Start With Integrated Platform Capabilities for Broad Coverage...................................................... 21 Add Dedicated Solutions for Specific or Additional Protection.........................................................22 Edge and Inner Architecture Protection Considerations.................................................................. 22 Details.................................................................................................................................................. 23 Categorizing Attacks Against Web Applications and Web APIs.......................................................23 Denial of Service.......................................................................................................................23 Exploits.....................................................................................................................................24 Abuse.......................................................................................................................................24 Access Violations......................................................................................................................25 Tampering and Reverse Engineering.........................................................................................26 Defining Automated Threats........................................................................................................... 26 Multifactor and Out-of-Band Authentication....................................................................................29 Application Security Capabilities to Address the Attack Categories.................................................29 API Gateways...........................................................................................................................29 Page 2 of 41 Gartner, Inc. | G00383318 This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. Application Shielding and Application Wrapping........................................................................30 Bot Mitigation........................................................................................................................... 31 DDoS Protection.......................................................................................................................32 Runtime Application Self-Protection..........................................................................................33 Web Application Firewalls......................................................................................................... 35 Reusing Open Source to “Build Your Own”.....................................................................................37 Gartner Recommended Reading.......................................................................................................... 40 List of Tables Table 1. Effectiveness of Application Security Controls in Addressing the Five Attack Categories............ 7 Table 2. Architecture Components and Possible OSS or BYO Options................................................. 39 List of Figures Figure 1. Comparison of Application Security Control Components........................................................ 5 Figure 2. Determining the Appropriate Levels of Protection...................................................................10 Figure 3. Example Platform and Dedicated Solution Options................................................................ 18 Comparison Web applications, mobile applications and web APIs are subject to increasing numbers and complexity of attacks. Organizations must consider several factors when planning and implementing protections, including: ■ Public, limited-access external and internal applications and APIs require different levels of security. ■ No one capability covers all types of attacks. ■ No two capabilities have interchangeable protection efficacy. ■ Some of the capabilities have strong overlaps in addressing specific attack subcategories. ■ Enforcement of policy may be centralized or distributed (for example, use of API microgateways). As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach and tailored to the architecture that must be protected. Gartner, Inc. | G00383318 Page 3 of 41 This research note is restricted to the personal use of [email protected]. This research note is restricted to the personal use of [email protected]. Security teams should use the comparison to decide which solutions will provide their organizations’ applications and APIs with the right level of protection. Not all organizations or their applications are subject to the same level of threats and attacks, and application architectures will vary. To clearly understand the differences between capabilities, Gartner splits attacks on web and mobile applications and web APIs into five categories: ■ Denial of service (DoS) is a specific type of attack where the attacker’s

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    41 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us