eBook WILD KINGDOM: The Need for a Web Application Firewall Why Defense of Web Applications Require Many Hands WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL eBook1 Contents 3 Executive Summary 4 Dangers of the Wild, Wild Web 5 Costs and Burdens of a Sophisticated Web 6 The Nature of Web Attacks and their Perpetrators 6 Attacks on Web Applications Come in an Assortment of Flavors 8 Sadly, Internal Resources Are Not Enough 9 Web Application Firewalls 10 Seven-Layer Strategic Defense 11 Living and Working in the Wild 12 About Yottaa eBook Executive Summary The Internet is an ecosystem filled with predators, built on a platform that was never designed for the level of complexity it has reached. The sophisticated applications that now reside online have given rise to a class of equally sophisticated criminals ready to exploit every weakness. As companies build beyond their firewalls, employing web applications to increase accessibility, scope, and functionality, a new generation of attackers is chasing after them. This creates the need for multi- layered defense. Organizations may believe they can handle these multifaceted attacks on their own, as they may have in the past. But it has become nearly impossible to fend them off, and often ends up being a waste of the time and talent of security personnel to attempt a fully in-house security effort. It is not enough for companies to be aware of the dangers. In fact, companies should behave as if they have already been compromised, and should deploy a range of up-to-date tools to protect everyone and everything connected to them and their systems. Protection is a multilayered, multi-player strategy, a battle best fought with knowledgeable partners. This eBook will review the current landscape of web application security, and cover in particular web application firewalls, one of the key tools in the fight for security. Finally, we will discuss Yottaa’s approach and viewpoint on security. WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 3 eBook Dangers of the Wild, Wild Web The web ecosystem can be a hostile place, in some ways a mirror of the natural world. In the wild, each creature must protect itself against numerous and varied forms of attack. There are predators every- where – some large and some tiny, some obvious and some hidden, some lightning fast and some slow and persistent. Some of these creatures seek to devour and destroy, while others try to latch on as parasites, absorbing the energy of their hosts for their own benefit. It might seem dramatic to compare the online world to a natural one. But in the connected digital world, everything – a commercial website, an email address, server, port, or even a keyboard – can come under attack from an increasing collection of clever and resourceful predators. Business that was formerly conducted in-house on computers with rudimentary intranets now takes place across multiple levels – in the cloud, outside of traditional firewalls, and through applications and scripts operated by third parties. This growth in complexity has set the stage for new forms of attack. The attacked assets extend beyond a company’s website or e-commerce components as well. Most organizations offer or use rich media, software-as-a-service (SaaS), or cloud computing as part of their offerings in an effort to increase productivity for employees and ease of access for the end customer. Anywhere there is an increase in access to or use of the open Internet, there’s a corresponding increase in surface area for potential attack. What’s more, although web applications are often located outside a company’s firewall, they often remain directly connected to the core IT infrastructure. Consequently, threats to web applications become direct and immediate threats to the organization and everyone connected to it. Customers and suppliers could lose data, money, or reputation when a company is attacked. For the business itself, it can translate into substantial economic damage: $3.8 million on average per data breach according to the Poneman Institute. WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 4 eBook Costs and Burdens of a Sophisticated Web: How We Got Here (or Why You’re Part of the Problem) Nearly all websites today can be considered “web apps,” as they’re far The average more complex and interactive than the static pages of years past. Most webpage now organizations, including those with an e-commerce component, in- includes:1 corporate a number of third-party integrations to connect with social media, transact commerce, and provide the dynamic functionality that customers expect. That means different types of independent software can run through a live application, interspersed with alien 19 code. Separate Domains The result of this change is that modern security concerns are not limited to traditionally guarded apps like online banking portals. The increased complexities of even the most simple web communication chains expose new vectors for attack, including penetrating defenses 21 circuitously by way of a third-party script, rather than attacking them JavaScripts directly. What’s more, in-house security teams and developers face a huge burden in the pace of development, as they push releases weekly, daily, or sometimes hourly or continuously. This forces them to focus their 55% full attention on simply keeping up – not on whether their code is safe or up to internal standards. of retail sites are vulnerable every single day The significant challenge of fending off attacks on all this new code of the year 2 is compounded by lacking control over or access to third-party code, and legacy code that’s too unwieldy or outdated to secure effectively. Developers can only secure what they can touch, and the problem may literally be out of their hands. As a result, adequate defense against attacks to web applications may be achieved only through trusted independent services that are highly adaptable. 1HTTP Archive http://httparchive.org/trends.php 2Website Security Statistics Report 2015, WhiteHat Security WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 5 eBook The Nature of Web Attacks and their Perpetrators Highly motivated people work tirelessly to exploit any available weak- ness found in lines of code or in human behavior. In some cases, the motivation is vandalism, thrill seeking, or mischief. Others seek to eliminate a competitor by paralyzing its website or using it as a spring- board towards larger, richer targets. In many cases, however, it is data they are after. Attackers are often big businesses – digital organized crime – that earns millions of dollars (or the BitCoin equivalent) on the black market for those who resell email addresses, credit card infor- mation, names, and other vital data. Web attacks are a permanent threat to the safe functioning of organizations and companies. They are human-made, as opposed to mechanical failures or external challenges like floods or solar flares. Omnipresent, they strive to overcome every system through relent- less innovation and persistent application. Attacks on Web Applications Come in an Assortment of Flavors One of the most famous types of attacks is the Distributed Denial of Service (DDoS), in which an unmanageable number of web page requests are fired at a web application from many anonymized sources. The web application or website slows to a crawl or crashes, unable to keep up with the bombardment. A slow and low attack (also named Slowloris, after its software) acts in a similar fashion but, instead of sending a large number of requests, it sends a smaller number, each of which “holds a line open” indefinitely – like keeping a customer service agent on the line for hours without saying anything. Another type of attack involves inserting malicious code into form fields that most honest people would see as credit card number or address fields. This is known as SQL injection. WILD KINGDOM: THE NEED FOR A WEB APPLICATION FIREWALL 6 eBook These are just three of the hundreds of existing attack techniques, and Top vulnerabilities more arrive all the time. Any security system seeking to construct an for 2014, by likeli- adequate, up-to-date defense needs to understand each attack route. hood of presence It must be able to defend against each in context, since some mitigation 3 steps will work for some threats, but not for others. Attempting to on a given website: defend against everything at once could do more harm than good, slowing performance, delaying legitimate page requests, and muddying the system. For an illustration of the challenge, let’s look at some of the top flaws. The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to the safety and security of the world’s software. One of its best-known publications is the OWASP Top Ten, a summary of the ten most critical web application security flaws. The 70 list analyzes these flaws for damage potential and the degree of % work required to rectify the problem. The current top ten are: 56 A1 – Injection % 47 A2 – Broken Authentication and Session Management % A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control Information leakage Insufficient transport Insufficient transport protection layer Cross-site scripting A8 – Cross-Site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards Each of these ten flaws is severe enough to allow attackers to take over a site, and two of these, A5: Security Misconfiguration, and A9: Using Components with Known Vulnerabilities, are out of scope. They cannot be rectified with normal procedures or tools. In other words, an internal security team will have its hands full trying to figure out what to do with A5 and A9 problems.