Your Web Applications are Dangerous

LONDON, 5 August  2014 – Your web applications are likely to be a danger to your organisation, unless you already have a Web Application Firewall (WAF). The SANS institute (http://www.sans.org) tells us that attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet, and it's the increased number of custom-built web applications that are targeted.

The very first Magic Quadrant for Web Application Firewalls was published recently (June 2014) indicating that the WAF market has matured enough to merit its own ‘MQ’. IT research firm Gartner actually projects that by 2018 only 20% of enterprises will rely solely on Firewalls or Intrusion Prevention to protect web applications, which is half the 40% of today’s figures, so just why is the WAF market expected to grow at a faster rate?

Quite a few WAF vendors have been around now for over 10 years, but until recently adoption of the technology has been relatively slow, with many enterprises thinking that Next Generation Firewall (NGFW) and Intrusion Prevention (IPS) solutions provide enough protection. However comparing a typical organisation's level of dependency on Web applications from 10 years ago with that of today is chalk and cheese.

Web applications are attractive targets

Many more valuable systems and processes, both internal and external facing, are now run over the Web than ever before, making them highly attractive targets for malicious attacks backed by well-funded organisations. In fact the complexity of today’s Web applications (which rely on languages and scripts such as HTML5, Java, JavaScript, PHP, with extensive use of third party source code, frameworks and libraries) often delivers perfect-storm conditions for Advanced Evasion Techniques (AETs), which obfuscate malicious code by chopping it into bits and pieces that arrive by different paths – meaning attackers have even more opportunity to probe and penetrate defences.

Currently, the highest rates of adoption of WAF are by Governments and large financial and e-commerce organisations, although many Midsize and Enterprises are starting to realise they also need this additional layer above and beyond their NGFWs and IPSs, especially those that use Web applications which run business-critical operations such as payroll and e-banking transactions.

Do you need a WAF?

The answer is a resounding yes if any of the following are applicable to your organisation.

1. Your organisation needs to achieve compliance with regulatory standards
2. Your organisation owns public websites
3. Your organisation makes internal Web applications available to partners and clients
4. Your organisation has business-critical internal Web applications
    

NGFW and IPS is not enough

Traditional perimeter security technologies such as Firewalls and Intrusion Prevention have focused on network and transport layer attacks, but many next generation solutions have seen additional technologies added to enhance security of applications. Application Control identifies and controls known applications on the network and endpoints, allowing for example allowing user access to Facebook chat, but not allowing Facebook video.

In addition, Deep Packet Inspection (DPI) enhancements are added to extend signature engines to the application layer. But whilst these are useful in providing better control of common applications, and protecting the web server infrastructure respectively, vulnerabilities of custom-built web applications such as SQL injection (SQLi) and Cross-site scripting (XSS) flaws are not protected against. A signature approach is simply not enough and sophisticated WAFs create a comprehensive model of allowed application behaviour.

WAF technology is just part of the solution

Even if you finally decide to WAF along with your IPS and NGFW, this is likely to still not be enough. More often organisations are building their own Web applications, usually containing custom code as well as third-party components meaning that WAF solutions alone may not be able to address all peculiarities of this custom application. Additional application security testing is advised for all bespoke applications, as well as general vulnerability assessments and penetration testing.

As a trusted adviser to significant organisations internationally, Infosec Partners has a track record in delivering strategies to combat threats to an organisation’s web applications, providing expertise to evaluate the security of bespoke applications, and implementing mitigation controls.

Trusted Adviser and Partner of Excellence

Named as the UK’s first ever Fortinet Partner of Excellence, and one of only a handful worldwide, Infosec Partners has achieved the highest recognition from one of the foremost leading vendors of network security and network infrastructure. To achieve the award, Infosec Partners had to demonstrate a level of expertise across the entire Fortinet portfolio, including FortiWeb, Fortinet’s Web Application Firewall solution.

Infosec Partners’ Commercial Director, Fran Ordillano, was surprised not to see Fortinet listed higher in the first ever Gartner Magic Quadrant for Web Application Firewalls.

“That Fortinet is not yet in the leaders quadrant is a surprise, but understandable given the head start that other vendors have had to build a market and revenue stream.The first FortiWeb solution was launched in 2009, whilst Imperva, Trustwave and others have had 10 or more years working the WAF market.”

“As Fortinet have confided with us, there are a number of ongoing developments which we expect to radically shake up the relative positioning against current leaders by the time the next WAF MQ is released.”

These developments include the upcoming FortiGlobal solution which allows true centralised management of all Fortinet solutions. Fortinet's reputation has been built on quality, effectiveness and their passion for creating a suite of fully integrated, fully functional security solutions that cater for all organisations all the way to Large Enterprise, Government and Telcos.

“We’re definitely seeing a rise in both the numbers of Midsize and Enterprise organisations looking to evaluate FortiWeb, based primarily on their satisfaction with existing FortiGate firewall solutions”.

Destined to be a market leader

Although FortiWeb was only introduced 5 years ago, it is a fully featured enterprise-grade WAF that competes strongly with the core features of Imperva, F5, and Citrix. Fortinet is one of the few WAF providers that addresses PCI requirement 6.6. This is done through its integrated vulnerability assessment as well as the three FortiGuard subscriptions (Security Service, IP Reputation, and Antivirus). If clients require a combination appliance that provides application delivery, FortiWeb also offers layer 7 server load balancing, caching and compression built-in.

Contact Infosec Partners today for advice in evaluating your organisation's Web Application Security requirements, and for strategic solutions to help you achieve your business, security and compliance goals.