Vendor View
Application Security in the Cloud
Application threats are constantly evolving. Recent high-profile Internet attacks on organizations like HBGary, RSA, WikiLeaks, Google, Comodo, and others prove that no one is immune. Anyone could be a target, and perpetrators are extremely organized, skilled, and well-funded. Culprits are often better trained than the IT staff deployed to thwart the attacks, which are targeted, elaborate, and aggressive--not to mention creative. The attacks are multi-layered and constant, and seek not only to deface a website, but to steal valuable data. Customer data, intellectual property, state secrets, SSL certificates, and other proprietary, highly sensitive information are the top targets.
Many organizations do a decent job of securing their infrastructure components, but are challenged when it comes to securing their web applications in a cloud environment. An application breach can cost companies significant amounts of money and seriously damage brand reputation. The 2010 annual study on data breaches by Symantec and the Ponemon Institute calculated that the average cost of a breach to a company was $214 per compromised record, and $7.2 million over the entire organization. In addition to financial losses, an organization may also have to address compliance and legal issues, public scrutiny, and loss of trust among shareholders and customers.
Protecting the Application Infrastructure and Delivering Secure Applications In the Cloud
Companies often grapple with how to secure their applications in the cloud, especially when they are unable to deploy their own security appliances and must rely on the provider's solutions, which may leave organizations be vulnerable and potentially liable for failing to meet regulatory requirements.
Virtual editions of Web application firewalls are now available and many deliver the same functionality as their physical counterparts. These cloud WAFs help companies maintain compliance when they deploy applications in the cloud. If an organization discovers an application vulnerability, Virtual WAFs can quickly be deployed in a cloud environment, enabling organizations to immediately virtually patch vulnerabilities until the development team can permanently fix the application. Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with virtual WAFs, organizations have full control over securing their cloud infrastructure.
During application development, organizations sometimes struggle to understand how the application will perform when secured with a WAF. If available, they can deploy a Virtual WAF both in production cloud environments and in lab/test environments. Organizations can take advantage of a virtual edition WAF that is identical to their production environment by creating, testing, and tuning their web application security policies during the development phase to ensure their applications are locked down at launch. Issues like false positives and false negatives that require policy adjustments can be addressed before deployment; and blocking pages, custom settings, and other configurations can be ready to go live. This allows organizations to verify their virtual application security, reduce testing costs, and increase testing speed, and it offers a highly flexible infrastructure for quick implementation in virtualized environments.
Automatic Policy Synchronization is important to synchronize policies automatically whenever there's a policy update. It allows organizations to cost-effectively scale on demand. This type of feature significantly reduces the maintenance time associated with deployments. For example, change in the lab, push to production; change in data center and push to the cloud. Dynamically make policy changes in the cloud based on a bursting or a cloud-based attack, and push the policy back to the data center or lab.
In the World "Wild" Web
When organizations choose a Virtual WAF, any Web Application Firewall should be designed to block all known web application vulnerabilities including the OWASP Top 10. A WAF should also be able to enable a positive security model where the policy determines what is allowed and to only allow certain user actions.
AJAX, which is a mix of technologies (Asynchronous JavaScript and XML), is becoming more pervasive since it allows developers to deliver content without having to load the entire HTML page in which the AJAX objects are embedded. Unfortunately, poor AJAX code can allow an attacker to modify the application and prevent a user from seeing their customized content, or even initiate an XSS attack. Additionally, some developers are also using JSON (JavaScript Object Notation) payloads, a lightweight data-interchange format that is understandable by most modern programming languages and used to exchange information between browser and server. If JSON is insecure and carrying sensitive information, there is the potential for data leakage.
A top notch WAF can parse JSON payloads and protect AJAX applications that use JSON for data transfer between the client and server. The WAF should be able to enforce the proper security policy and can even display an embedded blocking alert message. Very few WAF vendors are capable of enforcing JSON (other than the XML Gateways) and AJAX is becoming more and more common even within enterprises. An organization should look to invest in a Virtual WAF that can handle AJAX, because even if it isn't currently using AJAX, it will certainly will be in the near future.
AJAX and JSON aren't the only things to worry about. File upload forms and users uploading their own files can pose a significant risk to applications. Often, the first step in attacking a system is to insert code into the system and have it execute. File uploads can actually help an intruder accomplish this, enabling attackers to deface a website, introduce other vulnerabilities like XSS, add a phishing page to the website, or even upload a file in hopes that the IT administrator launches it.
WAFs should include anti-virus inspection using the Internet Content Adaptation Protocol (ICAP). Organizations need to protect against files uploaded using HTTP multipart transactions, like when a user fills out a browser form or includes file attachments and sends the entire message to a server. For SMTP, the WAF should inspect email content and attachments for spam. If a file is found to be infected, the WAF will quarantine that file, effectively slamming the door on those taking the first step in trying to gain unauthorized access and protecting systems from users who might be unaware that they are sharing malware.
In the GUI
Managing compliance is yet another daily consideration for IT. Organizations need an 'at-a-glance' or 'up to the minute' view of their regulation requirements. Virtual WAFs should include a 'dashboard' view, giving administrators a high-level overview of system status from security, health, and capacity perspectives. Security administrators can review Traffic Summary (throughput, TPS, requests), Attack Types, and any Anomaly Statistics. They can see the entire infrastructure or one particular application in real time or historically. Managing the security of applications and infrastructure has never been more important.
Conclusion
Virtual Editions of WAFs can offer flexible deployment and cloud security for virtualized applications. Organizations can easily consolidate multiple customers, groups, and applications on a single Virtual WAF. BIG-IP ASM can secure the latest interactive web applications, including those utilizing AJAX/JSON, and enhances ICAP support.
Today's Web Application Firewalls need to provide the application protection that organizations require to block evolving threats, no matter where applications are deployed in today's dynamic environments.
About the Author
Peter Silva is Technical Marketing Manager at F5 Systems.