The Three AWS Web Application Firewall Managed Rules You Need to Deploy Now
A mind-boggling number of applications reside in the cloud without any protection. No web app firewall. No identity or access control. Nothing. They're just out there, open to attack.
C’est un cauchemar pour les entreprises et un rêve devenu réalité pour les attaquants.
It’s also unwise given the increasing attention paid to applications as targets. Whether it’s to find a path into rich sources of data or to leverage the app as a distribution point for other nefarious purposes, application attacks are on the rise.
En fait, si nous examinons les principales violations, nous constatons que 30 % d’entre elles impliquaient des attaques sur des applications Web. Un nombre significatif de 62 % des cas ont fait état d'un piratage visant à exploiter une vulnérabilité. Et un pourcentage stupéfiant de 77 % d’entre elles ont été perpétrées par des botnets, et non par des individus.
Which means you need to protect your apps from bots and vulnerabilities lest you become just another statistic.
And when I say your apps, I mean all your apps. All apps are critical apps when it comes to security – even in the cloud. Perhaps moreso in the cloud where apps might be deployed without even the rudimentary protections afforded by a network firewall.
But we can’t (and shouldn’t) ignore that complexity – especially of security solutions – can sometimes get in the way of protecting applications in the cloud. Just over one-third (34%) of respondents in our State of Application Delivery 2018 survey told us that “increasing complexity of security solutions” was a top security challenge for the coming year.
Security can be hard. But it doesn’t have to be; especially in the cloud.
Web App Security in the Cloud
For those unaware, AWS provides a pretty sweet platform for not just you to deploy your apps but for vendors to add functionality to it as well. In the security space, its native web application firewall provides for third-party managed rules to augment its functionality. That means you can protect against the threats behind the top breaches without needing to learn all the ins and out of a web application firewall. If you’re just starting out, AWS WAF Managed Rules is a good place to dip your toe into web app security and guard against the most common threats that plague applications (and business) today.
AWS WAF Managed Rules are just that – web app security rules that extend AWS WAF functionality and provide protection for any app. They’re managed, which means security experts are maintaining and updating them so you can have confidence that they’re always up to date and defending against the latest threats. It’s security as a service, in the cloud, for any app.
To protect your apps against three of the most common threats – bots, known vulnerabilities, and hacking – there are three different rules you need to consider deploying right now. Consider carefully, though, because you can only choose one (that’s 1) managed rule at a time.
OWASP Top Ten
The OWASP Top Ten are well known by developers, DevOps, and security professionals alike. You know many of their names: SQLi, XSS, command injection, No-SQLi injection, path traversal, and predictable resource. These are the top ten most common vulnerabilities that wind up giving organizations headaches (and sometimes undesirable headlines) when they’re exploited. And they often are, especially when they are found in apps that talk to data sources containing juicy consumer or corporate data.
Idéalement, les développeurs devraient les aborder dans le code lorsqu’ils sont découverts. En réalité, nous savons qu’il faut des mois pour que cela se produise (si jamais cela se produit). C’est pourquoi un pare-feu d’application Web capable de traiter ces vulnérabilités courantes est si précieux, car il offre une protection instantanée contre l’exploitation. Qu'il s'agisse d'une solution permanente ou d'une mesure provisoire, il est logique d'utiliser un ensemble de règles incluant le Top Ten de l'OWASP.
Common Vulnerabilities and Exposure (CVE)
The importance of protecting against known CVEs cannot be overstated.
En 2015, Kenna Security a publié un rapport sur une étude menée sur un échantillon de 50 000 organisations présentant 250 millions de vulnérabilités et plus d'un milliard (MILLIARDS) d'événements de violation et a découvert deux points très intéressants concernant la correction des vulnérabilités :
- On average, it takes businesses 100-120 days to remediate vulnerabilities.
- At 40-60 days, the probability that a CVE will be exploited reaches over 90 percent.
- The gap between being likely exploited and closing a vulnerability is around 60 days.
In other words, most organizations are likely to have a CVE exploited before they get a chance to remediate. If you haven’t been paying attention, a number of *very* high profile breaches have been traced to CVEs. Like, super mega uber high profile. Consider some of the platforms and libraries with CVEs: Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla, MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPress. That covers most of the apps on the Internet these days.
So you definitely want to employ rules that can virtually patch your application against exploitation of CVEs as soon as they are disclosed. You should still patch them at the source (usually the platform or third-party library) but in the mean time, your app will be protected against a breach.
This remediation gap – and a dearth of security expertise – is what makes managed rules in the cloud such a good idea. Experts maintain them and ensure they’re up to date and able to protect apps against exploits, all you need to do is deploy them.
Bot Protection
More than half of all visitors to apps these days are bots. And not the good spider kind of bots crawling your site to index it and make it available through search engines. We’re talking about the seedy, Decepticon kind of bot that is searching for vulnerabilities, shoving SPAM in your communities, scraping your site, or participating in a botnet-based DDOS scheme.
Defense against bots isn’t easy. Captchas are constantly trying new methods of identifying and blocking bots, but like the seasonal flu these pesky critters just keep adapting and getting around defenses.
Still, malicious bots exhibit behaviors that can be detected and identify them as unwanted. Bot Defense rules are able to watch for those behaviors and activity that signal ungood intent and block them from interacting with your application. We’ve seen a rise in the percentage of organizations that take advantage of bot defense services over the past two quarters, and we expect this to continue given the state of things.
Le déploiement d’une règle de protection contre les robots pour les applications dans le cloud peut fournir une couverture aérienne qui arrête l’exploitation CVE avant qu’elle ne se produise.
Web App Firewall or Managed Rules
Il est important de noter que certaines applications auront besoin d’une protection contre les trois menaces. D'autres encore auront besoin d'une protection contre plus que les robots, les CVE et le Top Ten de l'OWASP. Certains auront besoin d'un nettoyage des données et d'une prévention des fuites, ainsi que de défenses plus spécifiques aux applications. La validation de schéma est un bon exemple, en particulier lors de l’acceptation de données provenant de sources inconnues. Le DDoS L7 (couche applicative) en est un autre. L’application du protocole est également précieuse pour se protéger contre les vulnérabilités basées sur TCP ou HTTP. Si vous avez besoin de plus d'une (1) règle ou de protections supplémentaires, vous souhaiterez explorer un WAF avancé complet. Et à mesure que votre application se développe en termes de capacités et de clients, vous devrez également veiller à renforcer vos protections.
Regardless, managed rules are great way to get started with app protection in the cloud. They provide a solid foundation for web app security without requiring you to become a security expert yourself.
Join AWS and F5 to learn how the F5 WAF can help you safeguard your data, meet compliance regulations, and establish ongoing protection for your cloud workloads.
Join the webinar to learn:
- Key application and architecture considerations for picking the right WAF
- Comment les solutions WAF de F5 aident à protéger vos données contre les menaces connues et inconnues
- How to leverage automated learning capabilities to prevent even the most sophisticated attacks on your data
Date et heure du webinaire :
Mercredi 25 avril 2018 | 10h00 PT