In this series of articles, we’ve been exploring the various ways that application security is evolving and what it means for modern security teams. In the first article, we analyzed how virtually all applications have evolved to be web-facing in some manner and how this has massively multiplied the AppSec attack surface for most organizations. Next, we addressed the applications themselves and how the evolution of DevOps and new microservice architectures have created new opportunities, as well as new challenges, for security. In this article, we shift our focus to the threats themselves. Here, we will take a look at the many types of threats facing modern applications, some of the challenges they pose to the traditional web application firewall (WAF) model, and how security can evolve moving forward.
Today AppSec teams are facing a threat landscape that is both massive and diverse. Some of these threats will be quite familiar, while others introduce new twists and challenges for security. Let’s take a look:
The OWASP Top 10
The OWASP Top 10 is probably the most well-known resource covering risks to web applications. The list is compiled based on what a consensus of security professionals identify as the most critical risks to web applications. This naturally includes many of the usual suspects of web application security, such as a broad variety of injection attacks (SQLI), weaknesses in authentication and access control, cross-site scripting (XSS), and XSRF vulnerabilities just to name a few.
In many ways, detecting and stopping OWASP Top 10 threats is table stakes for security teams. These are the threats that WAFs have focused on since their inception. However, while most every WAF will address the Top 10, that doesn’t mean that all WAFs are equally effective at detecting and thwarting them. Traditional WAFs have been heavily reliant on signatures, which has required constant updating and tuning to avoid false positives. The lack of confidence in accuracy has limited many a WAF to being deployed only for detection. Next, attackers are smart too, and they have a constantly evolving set of techniques to obscure and obfuscate their attacks to avoid triggering signatures. Threat X offers a new approach that reliably detects and blocks these threats without the need for signatures. The approach combines analysis of application behavior, attacker/entity behavior, and active engagement and deception of suspected threats. We will go into more detail on how this approach works in the next article in this series.
Open Source Libraries
In the age of agile application development, most applications are built using open source code and frameworks. This obviously lets developers avoid reinventing the wheel with each application and leads to faster, easier development. The downside is that when a new vulnerability is discovered, the issue can apply to every application that uses that code, instantly exposing hundreds of thousands of applications across the Internet. High-profile vulnerabilities in Apache Struts or the infamous Heartbleed are just a few examples, but new vulnerabilities make the rounds every day. And once those vulnerabilities are known, organizations are in a race to try and patch their apps before attackers can automatically scan and exploit them. This once again highlights the critical importance of being able to reliably block threats in real time instead of simply alerting on them.
Bots and Malicious Automation
In addition to traditional vulnerabilities and attacks, applications are increasingly facing a wave of malicious automation. These threats often use automated bots to attack an application on a large scale. To make things even trickier, many automated attacks don’t target a vulnerability per se, but instead, leverage valid application features in an unexpected way. For example, credential stuffing and account takeover (ATO) attacks will use bots to test known username/password combinations on an application’s login screen. This can allow an attacker to access and take over a victim’s account if they reuse the same password used in a previous breach.
To stop these attacks, you need to be able to distinguish human from automated visitors and to detect the unique signs of a distributed, automated attack. Once again this is an area where bringing together application intelligence, entity behavior analysis, and active engagement can solve problems that a traditional WAF simply can’t.
Distributed Denial-of-Service (DDoS)
Lastly, we have to consider attacks that simply want to bring down public access to the application. These attacks can rely on a wide variety of amplification techniques to drive massive amounts of traffic to a target application. Layer 7 DDoS can require an application to perform a large amount of work for a small request. For example, a simple login request can require a disproportionate amount of work to check username and password, retrieve application data and context, and present the user with the appropriate information. Defending against DDoS attacks often requires a different set of skills and capabilities than are found in a WAF, which puts added importance on having a complete application security platform.
These are some of the most common types of threats facing modern applications today, but it is, of course, not remotely exhaustive. In the next installment, we will dig further into ways to combat these threats and more using an attacker-centric security model. We will define what an attacker-centric model is, how it differs from and extends other approaches, and how it applies to the threats described above.