Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 33 of 53

here is to identify vulnerabilities in the implementations of web application code and use the information to provide virtual patching by way of customized WAF rules. This buys time and provides pro‐ tection while code developers are fixing any issues found in their application code implementations, by way of the scans and vulnera‐ bility tests. In addition, some open source and commercially avail‐ able application scanning and testing tools can provide detailed information regarding the results and make recommendations for how to shore up the defenses the WAFs are currently providing. One challenge here is that vulnerability management teams that usually run vulnerability scans often are not the same people responsible for patching vulnerable systems or even creating rules to implement virtual patching via a WAF. My recommendation here is that there needs to be a clear line of communication and responsi‐ bility, on both ends, for prioritizing and patching systems. However, in most organizations this can be resolved. Concerning WAF rules, do not take "detected" rules lightly. Typi‐ cally, rules that fire repetitively are indications of a continuous attempt by attackers to exploit an application or, even worse, to gain access to the downstream data. However, WAF rules that continu‐ ously trigger can cause operator and analyst alert-fatigue. Often these rules are either turned off or the alerts are ignored, which can result in increased risk for organizations. When organizations see repetitive questionable activity coming from a certain source IP address, my recommendation is to imple‐ ment dynamic blacklists of the repeat offenders and block their traf‐ fic by way of the upstream lines of defense. Finally, given that most web applications access highly critical and private data downstream, building an impenetrable moat around an organization's data is highly recommended. Today's cloud-based WAFs play a critical role in protecting applications and data, espe‐ cially when organizations are moving away from brick and mortar data centers and toward the cloud. Defensive Line 7: API Defenses The next line of defense that organizations need to consider is for protecting their publicly exposed application programming inter‐ faces (APIs). Today, organizations use APIs to support their mobile 24 | Chapter 3: Cloud-Based Lines of Defense for Web Application Security

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth