main

Botnets

How Hard Is It to Build a Botnet?

August 13, 2019 — by David Hobbs0

botnet-960x540.jpg

While working on Radware’s Ultimate Guide to Bot Management, I began wondering what would it take to build a botnet.

Would I have to dive into the Darknet and find criminal hackers and marketplaces to obtain the tools to make one? How much effort would it take to build a complicated system that would avoid detection and mitigation, and what level of expertise is required to make a scraping/credential stuffing and website abuse botnet?

At Your Fingertips

What I discovered was amazing. I didn’t even need to dive into the Darknet; everything anyone would need was readily available on the public internet. 

[You may also like: What You Need to Know About Botnets]

My learning didn’t end there. During this exploration, I noticed that many organizations use botnets in one form or another against their competitors or to gain a competitive advantage. Of course, I knew hackers leverage botnets for profit; but the availability of botnet building tools makes it easy for anyone to construct botnets that can access web interfaces and APIs while disguising their location and user agents. 

The use cases being advertised from these toolsets range from data harvesting, to account creation and account takeover, to inventory manipulation capabilities, advertising fraud and a variety of ways to monetize and automate integrations into well known systems for IT.  

[You may also like: 5 Things to Consider When Choosing a Bot Management Solution]

Mobile Phone Farms

These tools designers and services clearly know there is a market for cyber criminality, and some are shameless about promoting it.

For example, per a recent Vice article examining mobile phone farms, companies are incentivizing traffic to their apps and content by paying users. Indeed, it appears that people can make anywhere from $100-300 a month per mobile phone on apps like perk TV, Fusion TV, MyPoints or even categorizing shows for Netflix. They merely have to take surveys, watch television shows, categorize content or check into establishments.

[You may also like: Botnets: DDoS and Beyond]

More specifically, people are building mobile phone farms with cheap android devices and used phones, and scale up their operations to a point where they can make a couple of thousands of dollars (or more!) per month. These farms can be rented out to conduct more nefarious activities, like price scraping, data harvesting, ticket purchasing, account takeover, fake article writing and social media development, hacking, launching launching DDoS attacks and more.  To complicate matters, thanks to proxy servers and VPN tools, it has become nearly impossible to detect if a phone farm is being used against a site.  

What’s Next?

It’s not a far leap to assume that incentivized engagement may very well invite people to build botnets. How long until somebody develops an app to “rent your phone’s spare cycles” to scrape data, or watch content, write reviews, etc. (in other words, things that aren’t completely against the law) for money? Would people sign up to make extra beer money in exchange for allowing botnet operators to click on ads and look at websites for data harvesting?

I think it’s just a matter of time before this idea takes flight. Are you prepared today to protect against the sophisticated botnets? Do you have a dedicated bot management solution? When the botnets evolve into the next generation, will you be ready?

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Security

Navigating the Bot Ecosystem

August 8, 2019 — by Carl Herberger0

UGBM-Image-2-960x698.jpg

Bots touch virtually every part of our digital lives — and now account for over half of all web traffic.

This represents both a problem and a paradox. Bots can be good, and bots can be bad; removing good bots is bad and leaving bad bots can be even worse.

Having said that, few businesses, application owners, users, designers, security practitioners, or network engineers can distinguish the difference between good bots and bad bots in their operating environments.

As the speed of business continues to accelerate and automate, the instantaneous ability to distinguish legitimate, automated communications from illegitimate will be among the most crucial security controls we can on board.

Differentiating Between Good & Bad Bots

Indeed, as the volume of automated communication over the internet has dramatically increased,and according to Radware’s research, today’s internet now represents a majority (52%) of bot traffic. But how much of that traffic is “good” vs. “bad”?

[You may also like: Good Bots Vs. Bad Bots: What’s The Impact On Your Business?]

Some help populate our news feeds, tell the weather, provide stock quotes and control search rankings. We use bots to book travel, access online customer support, even to turn our lights on and off and unlock our doors.

But other bots are designed for more mischievous purposes — including account takeover, content scraping, payment fraud and denial-of-service (DoS) attacks. These bots account for as much as 26% of total internet traffic, and their attacks are often carried out by competitors looking to undermine your competitive advantage, steal your information or increase your online marketing costs.

These “bad bots” represent one of the fastest growing and gravest threats to websites, mobile applications and application programming interfaces (APIs). And they’re fueling a rise in automated attacks against businesses, driving the need for bot management.

[You may also like: Key Considerations In Bot Management Evaluation]

In the early days, the use of bots was limited to small scraping attempts or spamming. Today, things are vastly different. Bots are used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information, increase costs of competitors, deny inventory turnover and more. It’s no surprise, then, that Gartner mentioned  bot management at the peak of inflated expectations under the high benefit category in its Hype Cycle for Application Security 2018.

The ULTIMATE Guide to Bot Management

Recognizing the inescapable reality of today’s evolving bots, we have released the Ultimate Guide to Bot Management. This e-book provides an overview of evolving bot threats, outlines options for detection and mitigation, and offers a concise buyer guide to help evaluate potential bot management solutions.

From the generational leaps forward in bot design and use, to the techniques leveraged to outsmart and cloak themselves from detection, we’ve got you covered. The guide also dives into the bot problems across web, API and SDK / Mobile applications, and the most effective architectural strategies in pursuing solutions.

We hope you enjoy this tool as it becomes a must-have reference manual and provides you with the necessary map to navigate the murky waters and mayhem of bot management!

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Security

Good Bots Vs. Bad Bots: What’s The Impact On Your Business?

August 7, 2019 — by Radware0

goodbadbots-960x538.jpg

Roughly half of today’s internet traffic is non-human (i.e., generated by bots). While some are good—like those that crawl websites for web indexing, content aggregation, and market or pricing intelligence—others are “bad.”

These bad bots (roughly 26% of internet traffic) disrupt service, steal data and perform fraudulent activities. And they target all channels, including websites APIs and mobile applications.

[You may also like: Bots in the Boardroom]

Watch this webcast sponsored by Radware to discover all about about bots, including malicious bot traffic and what you can do to protect your organization from such threats.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Security

Bots in the Boardroom

July 10, 2019 — by Radware0

botsbots-960x538.jpg

This year, 82% of Radware’s C-Suite Perspectives survey respondents reported a focus on automation compared to 71% who indicated the same response in 2018. What’s driving the need for increased automation in cybersecurity solutions?

The increasing threat posed by next-generation malicious bots that mimic human behavior.

Vulnerabilities Abound

Almost half of all executives believed that their websites were extremely or likely prone to attacks. More than one-quarter of the respondents reported that their mobile applications were attacked on a daily or more frequent basis.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Websites and mobile apps are the digital tools that customers use to interact with companies. About half of the respondents indicated that the impact of attacks on their company’s website was stolen accounts, unauthorized access or content scraping. Two in five said that the attacks were launched by both humans and bots, while one-third credited humans only for the attacks.

Executives in AMER were more likely than those in other regions to say that their sites were extremely prone to attacks.

The Impacts of Bots on Business

Most respondents said that they have discussed the impact of bots on business operations at the executive level. Rankings of how frequently items regarding bots were discussed at the executive level vary by vertical.

Half of the executives acknowledged that bot attacks were a risk but were confident that their staff was managing the threat. Despite this confidence, the market for bot management solutions is still small and emerging, and is expected to experience a compound annual growth rate of 36.7% from 2017 to 2022, according to Frost and Sullivan.

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

Two in five said that they relied on bots to accelerate business processes and information sharing. An equal number of respondents complained about how bots influence the metrics of their business unit. AMER executives were more likely than those in APAC to say that bots are cost-effective.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

BotnetsDDoS

Botnets: DDoS and Beyond

June 20, 2019 — by Daniel Smith0

botnets-960x540.jpg

Traditionally, DDoS is an avenue of profit for botherders. But today’s botnets have evolved to include several attack vectors other than DDoS that are more profitable. And just as any business-oriented person would do, attackers follow the money.

As a result, botherders are targeting enterprise and network software, since residential devices have become over saturated. The days of simple credentials-based attacks are long behind us. Attackers are now looking for enterprise devices that will help expand their offerings and assists in developing additional avenues of profit.

A few years ago, when IoT botnets became all the rage, they were mainly targeting residential devices with simple credential attacks (something the DDoS industry does not prevent from happening; instead we take the position of mitigating attacks coming from infected residential devices).

[You may also like: IoT Botnets on the Rise]

From Personal to Enterprise

But now that attackers are targeting enterprise devices, the industry must reevaluate the growing threat behind today’s botnets.

We now have to focus on not only protecting the network from external attacks but also the devices and servers found in a typical enterprise network from being infected by botnet malware and leveraged to launch attacks.

In a blog posted on MIT’s Technology Review titled, Inside the business model for botnets, C.G.J. Putman and colleagues from the University of Twente in the Netherlands detail the economics of a botnet. The article sheds some light on the absence of DDoS attacks and the growth of other vectors of attack generated from a botnet.

In their report, the team states that DDoS attacks from a botnet with 30,000 infected devices could generate around $26,000 a month. While that might seem like a lot, it’s actually a drop in the bucket compared to other attack vectors that can be produced from a botnet.

For example, C.G.J. Putman and Associates reported that a spamming botnet with 10,000 infected devices can generate $300,000 a month. The most profitable? Click fraud, which can generate over $20 million per month in profit.

[You may also like: Ad Fraud 101: How Cybercriminals Profit from Clicks]

To put that in perspective, AppleJ4ck and P1st from Lizard Squad made close to $600,000 over 2 years’ operating a stresser service called vDoS.

So let me ask this: If you are a botherder risking your freedom for profit, are you going to construct a botnet strictly for DDoS attacks or will you construct a botnet with more architecturally diverse devices to support additional vectors of profit?

Exactly. Botherders will continue to maximize their efforts and profitability by targeting enterprise devices.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Security

IDBA: A Patented Bot Detection Technology

June 13, 2019 — by Radware0

AdobeStock_42807981-960x720.jpg

Over half of all internet traffic is generated by bots — some legitimate, some malicious. Competitors and adversaries alike deploy “bad” bots that leverage different methods to achieve nefarious objectives. This includes account takeover, scraping data, denying available inventory and launching denial-of-service attacks with the intent of stealing data or causing service disruptions.

These attacks often go undetected by conventional mitigation systems and strategies because bots have evolved from basic scripts to large-scale distributed bots with human-like interaction capabilities to evade detection mechanisms. To stay ahead of the threat landscape requires more sophisticated, advanced capabilities to accurately detect and mitigate these threats. One of the key technical capabilities required to stop today’s most advanced bots is intent-based deep behavioral analysis (IDBA).

What Exactly is IDBA?

IDBA is a major step forward in bot detection technology because it performs behavioral analysis at a higher level of abstraction of intent, unlike the commonly used, shallow interaction-based behavioral analysis. For example, account takeover is an example of an intent, while “mouse pointer moving in a straight line” is an example of an interaction.

[You may also like: 5 Things to Consider When Choosing a Bot Management Solution]

Capturing intent enables IDBA to provide significantly higher levels of accuracy to detect advanced bots. IDBA is designed to leverage the latest developments in deep learning.

More specifically, IDBA uses semi-supervised learning models to overcome the challenges of inaccurately labeled data, bot mutation and the anomalous behavior of human users. And it leverages intent encoding, intent analysis and adaptive-learning techniques to accurately detect large-scale distributed bots with sophisticated human-like interaction capabilities.

[You may also like: Bot Managers Are a Cash-Back Program For Your Company]

3 Stages of IDBA

A visitor’s journey through a web property needs to be analyzed in addition to the interaction-level characteristics, such as mouse movements. Using richer behavioral information, an incoming visitor can be classified as a human or bot in three stages:

  • Intent encoding: The visitor’s journey through a web property is captured through signals such as mouse or keystroke interactions, URL and referrer traversals, and time stamps. These signals are encoded using a proprietary, deep neural network architecture into an intent encoding-based, fixed-length representation. The encoding network jointly achieves two objectives: to be able to represent the anomalous characteristics of completely new categories of bots and to provide greater weight to behavioral characteristics that differ between humans and bots.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

  • Intent analysis: Here, the intent encoding of the user is analyzed using multiple machine learning modules in parallel. A combination of supervised and unsupervised learning-based modules are used to detect both known and unknown patterns.
  • Adaptive learning: The adaptive-learning module collects the predictions made by the different models and takes actions on bots based on these predictions. In many cases, the action involves presenting a challenge to the visitor like a CAPTCHA or an SMS OTP that provides a feedback mechanism (i.e., CAPTCHA solved). This feedback is incorporated to improvise the decision-making process. Decisions can be broadly categorized into two types of tasks.
    • Determining thresholds: The thresholds to be chosen for anomaly scores and classification probabilities are determined through adaptive threshold control techniques.
    • Identifying bot clusters: Selective incremental blacklisting is performed on suspicious clusters. The suspicion scores associated with the clusters (obtained from the collusion detector module) are used to set prior bias.

[You may also like: The Big, Bad Bot Problem]

IDBA or Bust!

Current bot detection and classification methodologies are ineffective in countering the threats posed by rapidly evolving and mutating sophisticated bots.

Bot detection techniques that use interaction-based behavioral analysis can identify Level 3 bots but fail to detect the advanced Level 4 bots that have human-like interaction capabilities. The unavailability of correctly labeled data for Level 4 bots, bot mutations and the anomalous behavior of human visitors from disparate industry domains require the development of semi-supervised models that work at a higher level of abstraction of intent, unlike only interaction-based behavioral analysis.

IDBA leverages a combination of intent encoding, intent analysis and adaptive-learning techniques to identify the intent behind attacks perpetrated by massively distributed human-like bots.

Read “How to Evaluate Bot Management Solutions” to learn more.

Download Now

Application SecurityWAFWeb Application Firewall

Bot Manager vs. WAF: Why You Actually Need Both

June 6, 2019 — by Ben Zilberman0

BotWAF-960x641.jpg

Over 50% of web traffic is comprised of bots, and 89% of organizations have suffered attacks against web applications. Websites and mobile apps are two of the biggest revenue drivers for businesses and help solidify a company’s reputation with tech-savvy consumers. However, these digital engagement tools are coming under increasing threats from an array of sophisticated cyberattacks, including bots.

While a percentage of bots are used to automate business processes and tasks, others are designed for mischievous purposes, including account takeover, content scraping, payment fraud and denial-of-service attacks. Often, these attacks are carried out by competitors looking to undermine a company’s competitive advantage, steal information or increase your online marketing costs.

[You may also like: 5 Things to Consider When Choosing a Bot Management Solution]

When Will You Need a Bot Detection Solution?

Sophisticated, next-generation bots can evade traditional security controls and go undetected by application owners. However, their impact can be noticed, and there are several indicators that can alert a company of malicious bot activity:

Why a WAF Isn’t an Effective Bot Detection Tool

WAFsare primarily created to safeguard websites against application vulnerability exploitations like SQL Injections, cross-site scripting (XSS), cross-site request forgery, session hijacking and other web attacks. WAFs typically feature basic bot mitigation capabilities and can block bots based on IPs or device fingerprinting.

However, WAFs fall short when facing more advanced, automated threats. Moreover, next-generation bots use sophisticated techniques to remain undetected, such as mimicking human behavior, abusing open-source tools or generating multiple violations in different sessions.

[You may also like: The Big, Bad Bot Problem]

Against these sophisticated threats, WAFs won’t get the job done.

The Benefits of Synergy

As the complexity of multi-vector cyberattacks increases, security systems must work in concert to mitigate these threats. In the case of application security, a combination of behavioral analytics to detect malicious bot activity and a WAF to protect against vulnerability exploitations and guard sensitive data is critical.

Moreover, many threats can be blocked at the network level before reaching the application servers. This not only reduces risk, but also reduces the processing loads on the network infrastructure by filtering malicious bot traffic.

Read “How to Evaluate Bot Management Solutions” to learn more.

Download Now

Security

5 Things to Consider When Choosing a Bot Management Solution

June 4, 2019 — by Radware0

5thingsbot-960x540.jpg

For organizations both large and small, securing the digital experience necessitates the need for a dedicated bot management solution. Regardless of the size of your organization, the escalating intensity of global bot traffic and the increasing severity of its overall impact mean that bot management solutions are crucial to ensuring business continuity and success.

The rise in malicious bot traffic, and more specifically, bots that mimic human-like behavior and require advanced machine learning to mitigate, require the ability to distinguish the wolf in sheep’s clothing.

We previously covered the basics in bot management evaluation, and urge you to likewise consider the following factors when choosing a solution.

Extensibility and Flexibility

True bot management goes beyond just the website. An enterprise-grade solution should protect all online assets, including your website, mobile apps and APIs. Protecting APIs and mobile apps is equally crucial, as is interoperability with systems belonging to your business partners and vital third-party APIs.

[You may also like: Key Considerations In Bot Management Evaluation]

Flexible Deployment Options

Bot mitigation solutions should be easy to deploy and operate with the existing infrastructure, such as CDNs and WAFs, as well as various technology stacks and application servers. Look for solutions that have a range of integration options, including web servers/CDNs/CMS plugins, SDKs for Java, PHP, .NET, Python, ColdFusion, Node.js, etc., as well as via JavaScript tags and virtual appliances.

A solution with non-intrusive API-based integration capability is key to ensuring minimal impact on your web assets.

[You may also like: Bots 101: This is Why We Can’t Have Nice Things]

Finally, any solution provider should ideally have multiple globally distributed points of presence to maximize system availability, minimize latency and overcome any internet congestion issues.

Is It a Fully Managed and Self-Reliant Service?

Webpage requests can number in the millions per minute for popular websites, and data processing for bot detection needs to be accomplished in real time. This makes manual intervention impossible — even adding suspected IP address ranges is useless in countering bots that cycle through vast numbers of addresses to evade detection. As a result, a key question that needs to be answered is does the solution require a specialized team to manage it, or does it operate autonomously after initial setup?

[You may also like: The Big, Bad Bot Problem]

Bot mitigation engines equipped with advanced technologies, such as machine learning, help with automating their management capabilities to significantly reduce the time and workforce needed to manage bots. Automated responses to threats and a system that does not require manual intervention considerably reduce the total cost of ownership.

Building vs. Buying

Large organizations have resources to develop their own in-house bot management solutions, but most companies do not have the time, resources or money to accomplish that. Building an adaptive and sophisticated bot mitigation solution, which can counter constantly evolving bots, can take years of specialized development.

Financially, it makes business sense to minimize capex and purchase cloud-based bot mitigation solutions on a subscription basis. This can help companies realize the value of bot management without making a large upfront investment.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Data Security, Privacy and Compliance Factors

A solution should ensure that traffic does not leave a network — or, in case it does, data should be in an encrypted and hashed format to maximize privacy and compliance. Ensuring that the bot mitigation solution is compliant with the GDPR regulations pertaining to data at rest and data in transit will help avoid personal data breaches and the risk of financial and legal penalties

Read “How to Evaluate Bot Management Solutions” to learn more.

Download Now

Security

Key Considerations In Bot Management Evaluation

May 9, 2019 — by Radware0

AdobeStock_232727332-960x524.jpg

The escalating intensity of global bot traffic and the increasing severity of its overall impact mean that dedicated bot management solutions are crucial to ensuring business continuity and success. This is particularly true since more sophisticated bad bots can now mimic human behavior and easily deceive conventional cybersecurity solutions/bot management systems.

Addressing highly sophisticated and automated bot-based cyberthreats requires deep analysis of bots’ tactics and intentions. According to Forrester Research’s The Forrester New Wave™: Bot Management, Q3 2018 report, “Attack detection, attack response and threat research are the biggest differentiators. Bot management tools differ greatly in their detection methods; many have very limited — if any — automated response capabilities. Bot management tools must determine the intent of automated traffic in real time to distinguish between good bots and bad bots.”

When selecting a bot mitigation solution, companies must evaluate the following criteria to determine which best fit their unique needs.

Basic Bot Management Features

Organizations should evaluate the range of possible response actions — such as blocking, limiting, the ability to outwit competitors by serving fake data and the ability to take custom actions based on bot signatures and types.

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

Any solution should have the flexibility to take different mitigation approaches on various sections and subdomains of a website, and the ability to integrate with only a certain subset of from pages of that website — for example, a “monitor mode” with no impact on web traffic to provide users with insight into the solution’s capabilities during the trial before activating real-time active blocking mode.

Additionally, any enterprise-grade solution should be able to be integrated with popular analytics dashboards such as Adobe or Google Analytics to provide reports on nonhuman traffic.

Capability to Detect Large-Scale Distributed Humanlike Bots

When selecting a bot mitigation solution, businesses should try to understand the underlying technique used to identify and manage sophisticated attacks such as large-scale distributed botnet attacks and “low and slow” attacks, which attempt to evade security countermeasures.

[You may also like: Bots 101: This is Why We Can’t Have Nice Things]

Traditional defenses fall short of necessary detection features to counter such attacks. Dynamic IP attacks render IP-based mitigation useless. A rate-limiting system without any behavioral learning means dropping real customers when attacks happen. Some WAFs and rate-limiting systems that are often bundled or sold along with content delivery networks (CDNs) are incapable of detecting sophisticated bots that mimic human behavior.

The rise of highly sophisticated humanlike bots in recent years requires more advanced techniques in detection and response. Selection and evaluation criteria should focus on the various methodologies that any vendor’s solution uses to detect bots, e.g., device and browser fingerprinting, intent and behavioral analyses, collective bot intelligence and threat research, as well as other foundational techniques.

A Bot Detection Engine That Continuously Adapts to Beat Scammers and Outsmart Competitors

  • How advanced is the solution’s bot detection technology?
  • Does it use unique device and browser fingerprinting?
  • Does it leverage intent analysis in addition to user behavioral analysis?
  • How deep and effective are the fingerprinting and user behavioral modeling?
  • Do they leverage collective threat intelligence?

[You may also like: The Big, Bad Bot Problem]

Any bot management system should accomplish all of this in addition to collecting hundreds of parameters from users’ browsers and devices to uniquely identify them and analyze the behavior. It should also match the deception capabilities of sophisticated bots. Ask for examples of sophisticated attacks that the solution was able to detect and block.

Impact on User Experience — Latency, Accuracy and Scalability

Website and application latency creates a poor user experience. Any bot mitigation solution shouldn’t add to that latency, but rather should identify issues that help resolve it.

Accuracy of bot detection is critical. Any solution must not only distinguish good bots from malicious ones but also most enhance the user experience and allow authorized bots from search engines and partners. Maintaining a consistent user experience on sites such as B2C e-commerce portals can be difficult during peak hours. The solution should be scalable to handle spikes in traffic.

[You may also like: Bot or Not? Distinguishing Between the Good, the Bad & the Ugly]

Keeping false positives to a minimal level to ensure that user experience is not impacted is equally important. Real users should never have to solve a CAPTCHA or prove that they’re not a bot. An enterprise-grade bot detection engine should have deep-learning and self-optimizing capabilities to identify and block constantly evolving bots that alter their characteristics to evade detection by basic security systems.

Read “How to Evaluate Bot Management Solutions” to learn more.

Download Now

Application Security

4 Emerging Challenges in Securing Modern Applications

May 1, 2019 — by Radware0

appsecurity-960x474.jpg

Modern applications are difficult to secure. Whether they are web or mobile, custom developed or SaaS-based, applications are now scattered across different platforms and frameworks. To accelerate service development and business operations, applications rely on third-party resources that they interact with via APIs, well-orchestrated by state-of-the-art automation and synchronization tools. As a result, the attack surface becomes greater as there are more blind spots – higher exposure to risk.

Applications, as well as APIs, must be protected against an expanding variety of attack methods and sources and must be able to make educated decisions in real time to mitigate automated attacks. Moreover, applications constantly change, and security policies must adopt just as fast. Otherwise, businesses face increased manual labor and operational costs, in addition to a weaker security posture. 

The WAF Ten Commandments

The OWASP Top 10 list serves as an industry benchmark for the application security community, and provides a starting point for ensuring protection from the most common and virulent threats, application misconfigurations that can lead to vulnerabilities, and detection tactics and mitigations. It also defines the basic capabilities required from a Web Application Firewall in order to protect against common attacks targeting web applications like injections, cross-site scripting, CSRF, session hijacking, etc. There are numerous ways to exploit these vulnerabilities, and WAFs must be tested for security effectiveness.

However, vulnerability protection is just the basics. Advanced threats force application security solutions to do more.

Challenge 1: Bot Management

52% of internet traffic is bot generated, half of which is attributed to “bad” bots. Unfortunately, 79% of organizations can’t make a clear distinction between good and bad bots. The impact is felt across all business arms as bad bots take over user accounts and payment information, scrape confidential data, hold up inventory and skew marketing metrics, thus leading to wrong decisions. Sophisticated bots mimic human behavior and easily bypass CAPTCHA or other challenges. Distributed bots render IP-based and even device fingerprinting based protection ineffective. Defenders must level up the game.

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

Challenge 2: Securing APIs

Machine-to-machine communications, integrated IoTs, event driven functions and many other use cases leverage APIs as the glue for agility. Many applications gather information and data from services with which they interact via APIs. Threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. Businesses tend to grant access to sensitive data, without inspecting nor protect APIs to detect cyberattacks. Don’t be one of them.

[You may also like: How to Prevent Real-Time API Abuse]

Challenge 3: Denial of Service

Different forms of application-layer DoS attacks are still very effective at bringing application services down. This includes HTTP/S floods, low and slow attacks (Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. Driven by IoT botnets, application-layer attacks have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down.

[You may also like: DDoS Protection Requires Looking Both Ways]

Challenge 4: Continuous Security

For modern DevOps, agility is valued at the expense of security. Development and roll-out methodologies, such as continuous delivery, mean applications are continuously modified. It is extremely difficult to maintain a valid security policy to safeguard sensitive data in dynamic conditions without creating a high number of false positives. This task has gone way beyond humans, as the error rate and additional costs they impose are enormous. Organizations need machine-learning based solutions that map application resources, analyze possible threats, create and optimize security policies in real time.

[You may also like: Are Your DevOps Your Biggest Security Risks?]

Protecting All Applications

It’s critical that your solution protects applications on all platforms, against all attacks, through all the channels and at all times. Here’s how:

  • Application security solutions must encompass web and mobile apps, as well as APIs.
  • Bot Management solutions need to overcome the most sophisticated bot attacks.
  • Mitigating DDoS attacks is an essential and integrated part of application security solutions.
  • A future-proof solution must protect containerized applications, serverless functions, and integrate with automation, provisioning and orchestration tools.
  • To keep up with continuous application delivery, security protections must adapt in real time.
  • A fully managed service should be considered to remove complexity and minimize resources.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now