main

Application Security

4 Emerging Challenges in Securing Modern Applications

May 1, 2019 — by Radware0

appsecurity-960x474.jpg

Modern applications are difficult to secure. Whether they are web or mobile, custom developed or SaaS-based, applications are now scattered across different platforms and frameworks. To accelerate service development and business operations, applications rely on third-party resources that they interact with via APIs, well-orchestrated by state-of-the-art automation and synchronization tools. As a result, the attack surface becomes greater as there are more blind spots – higher exposure to risk.

Applications, as well as APIs, must be protected against an expanding variety of attack methods and sources and must be able to make educated decisions in real time to mitigate automated attacks. Moreover, applications constantly change, and security policies must adopt just as fast. Otherwise, businesses face increased manual labor and operational costs, in addition to a weaker security posture. 

The WAF Ten Commandments

The OWASP Top 10 list serves as an industry benchmark for the application security community, and provides a starting point for ensuring protection from the most common and virulent threats, application misconfigurations that can lead to vulnerabilities, and detection tactics and mitigations. It also defines the basic capabilities required from a Web Application Firewall in order to protect against common attacks targeting web applications like injections, cross-site scripting, CSRF, session hijacking, etc. There are numerous ways to exploit these vulnerabilities, and WAFs must be tested for security effectiveness.

However, vulnerability protection is just the basics. Advanced threats force application security solutions to do more.

Challenge 1: Bot Management

52% of internet traffic is bot generated, half of which is attributed to “bad” bots. Unfortunately, 79% of organizations can’t make a clear distinction between good and bad bots. The impact is felt across all business arms as bad bots take over user accounts and payment information, scrape confidential data, hold up inventory and skew marketing metrics, thus leading to wrong decisions. Sophisticated bots mimic human behavior and easily bypass CAPTCHA or other challenges. Distributed bots render IP-based and even device fingerprinting based protection ineffective. Defenders must level up the game.

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

Challenge 2: Securing APIs

Machine-to-machine communications, integrated IoTs, event driven functions and many other use cases leverage APIs as the glue for agility. Many applications gather information and data from services with which they interact via APIs. Threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. Businesses tend to grant access to sensitive data, without inspecting nor protect APIs to detect cyberattacks. Don’t be one of them.

[You may also like: How to Prevent Real-Time API Abuse]

Challenge 3: Denial of Service

Different forms of application-layer DoS attacks are still very effective at bringing application services down. This includes HTTP/S floods, low and slow attacks (Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. Driven by IoT botnets, application-layer attacks have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down.

[You may also like: DDoS Protection Requires Looking Both Ways]

Challenge 4: Continuous Security

For modern DevOps, agility is valued at the expense of security. Development and roll-out methodologies, such as continuous delivery, mean applications are continuously modified. It is extremely difficult to maintain a valid security policy to safeguard sensitive data in dynamic conditions without creating a high number of false positives. This task has gone way beyond humans, as the error rate and additional costs they impose are enormous. Organizations need machine-learning based solutions that map application resources, analyze possible threats, create and optimize security policies in real time.

[You may also like: Are Your DevOps Your Biggest Security Risks?]

Protecting All Applications

It’s critical that your solution protects applications on all platforms, against all attacks, through all the channels and at all times. Here’s how:

  • Application security solutions must encompass web and mobile apps, as well as APIs.
  • Bot Management solutions need to overcome the most sophisticated bot attacks.
  • Mitigating DDoS attacks is an essential and integrated part of application security solutions.
  • A future-proof solution must protect containerized applications, serverless functions, and integrate with automation, provisioning and orchestration tools.
  • To keep up with continuous application delivery, security protections must adapt in real time.
  • A fully managed service should be considered to remove complexity and minimize resources.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

DDoSSecurity

Be Certain and Specific when Fighting DDoS Attacks

July 19, 2018 — by Ray Tamasovich1

ddos-attacks-960x613.jpg

I was visiting a prospect last week and at the very beginning of the meeting he asked directly, “Why would I consider your products and services over the many others that claim to do the exact same thing?”  I immediately said, “That’s easy! Certainty and specificity.”  He looked at me, expecting more than a 5-word answer. When I did not provide one, he asked me to please explain. I told him that any number of the products or services on the market are capable of keeping your circuits from being overrun by a volumetric DDoS attack, but that if he wanted to be certain he was not blocking legitimate business users or customers, and if he wanted to be specific about the traffic he was scrubbing, he would need to consider my solution.

Attack Types & VectorsDDoSSecurity

DDoS Attackers Call for DDoS Defenders

October 24, 2017 — by Ben Zilberman0

case-study-ert-960x640.jpg

In late July we were approached by a government agency of a Latin American country who was suffering from an over-a-month long campaign of DDoS attacks they had so far failed to mitigate. Each of the attacks lasted for several hours at a time –sometimes multiple times a day – making it through their existing DDoS protection device and right into the headlines of the local press.

Attack Types & VectorsDDoSSecurity

Gaming – Legitimate vs. Malicious Users

July 20, 2017 — by Daniel Smith0

gaming-ddos-960x640.jpg

Over the years Radware has followed the evolution of DDoS attacks directed at the gaming industry. For the industry, large-scale DDoS attacks can result in network outages or service degradation and has become an everyday occurrence. In 2016 Lizard Squad and Poodle Corp launched repeated attacks against EA, Blizzard and Riot Games, resulting in service degradation and outages for users around the world.

Attack Types & VectorsDDoSSecurity

Cyber Security Predictions: Looking Back at 2016, Peering Ahead to 2017

December 13, 2016 — by Carl Herberger1

cyber-security-predictions-2017-960x557.jpg

2016: What a year! Internet of Things (IoT) threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this annual report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.

Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.

Attack Types & VectorsDDoSSecurity

Threat Alert: Bitcoin Exchanges and Websites Experiencing DDoS Attacks

July 6, 2016 — by Daniel Smith1

bitcoin-exchanges-ddos-attack-3-960x555.png

Threat Alert: Bitcoin Exchanges and Websites Experiencing DDoS Attacks

Over the last several months, our ERT Research team has noticed a growing trend of attackers targeting Bitcoin exchanges and websites that deal with Bitcoin directly. These websites are increasingly becoming the target of DDoS attacks for a number of reasons. First, they are mainly targeted by extortionists, but they are also experiencing attacks from competition and user aggression.

Bitcoin-related sites attract a lot of attention and demand from their users, but this also plays against them. This dedicated user base requires instant access and live updates about market conditions and the current value of Bitcoin. When these services go down, thousands of users are left locked out of their accounts, which can result in reputation damage or financial loss for their users. This is also why extortionists choose to target these sites; not only do they have Bitcoin on hand, but some are not willing to go offline even for a moment due to the fear of losing clients.

DDoSSecuritySSL

Adaptive Managed Services Bolster Security

June 30, 2016 — by Jason Ford0

adaptive-managed-services-bolster-security-3-960x640.png

By Jason Ford, Chief Technology Officer of BlackMesh

The benefits of relying on a managed service provider are seemingly endless. Managed services can help organizations focus on business strategies, conserve funds and resources, mitigate risks, and maintain, operate, and deploy environments. In recent years, however, the IT industry has come to a crossroad where managed services meet security. With the current threats of cyber hacks and intrusion methods being what they are, security is as important – or perhaps more important – to system owners as any other advantages they garner from a managed service provider. While championing the incomparable value correlated with having a powerful and dependable infrastructure without having to manage it, enterprises now can – and do – feel the same about managed security services.

DDoSHacksSecurity

School Networks Getting Hacked – Is it the Students’ Fault?

June 23, 2016 — by Daniel Smith2

school-education-hacks-3-960x656.png

School networks are increasingly becoming victims of cyber-attacks. They are presented with unique threats and challenges that most organizations do not have to deal with. Every year schools see thousands of new students that bring with them an arsenal of potentially vulnerable devices. To add to this growing complexity, most college campuses have migrated to digital platforms like Blackboard and Moodle. These online web portals are prime targets for denial of service attacks.

SecurityWAF

Cover Your Bases to Protect Your Organization From Advanced Threats

June 15, 2016 — by RussellWarren0

cover-your-bases-2-960x816.png


Organizations can protect themselves against advanced threats by adopting the right strategy. This strategy involves getting the right players on the field, with a complementary set of skills that will provide a team with the right mix of capabilities. In deploying security products into your IT environment, you are looking for the right mix of solutions (security monitoring, protection, analysis, analytics and response capabilities) in order to cover the field. Deploying an effective and efficient set of security solutions will provide you maximum benefits, with improved operational efficiencies and costs.