Despite efforts to incorporate security into the web application, enterprises find themselves forced to take shortcuts, so they can address other security projects. Meanwhile, user content continues to be unprotected, resulting in fire drills between the web developers and security team. We've highlighted a few myths that top security experts and leaders have shared with us to debunk common misconceptions of web application security:
1. Security on the edge, using a Web Application Firewall (WAF), is all I need.
90% of all security vulnerabilities happen at the application layer and thousands of new attacks emerge every day. Web applications are the weakest security point for many enterprises, and when compromised can lead to potential data breach, network breach, identity theft, brand defacement and ultimately financial loss. Web Application Firewalls (WAFs) and other traditional reactive approaches are not keeping up - lending only a false sense of security and additional network latency.
WAFs rely on past definitions of known attacks, so they are always out-of-date and cannot prevent zero-day exploits or fuzzed hacks. Since web applications are dynamic, it often takes a lot of time and money to configure a WAF to reduce false positives and keep definitions up to date.
2. In-house security teams can build solutions to protect from all new threats.
In order to stay ahead of hackers, security solutions must be constantly updated and maintained. Homegrown solutions are mostly designed to address a few use cases and are based on a limited sample of current or past attacks. This also assumes that the in-house security and web development team have the know-how and time to service multiple web applications to keep up with the ever-changing vulnerability classes.
They're all discovering that pricey firewalls, code reviews, audits and penetration tests are unsustainable. An intelligent, seamless and low-maintenance solution can make a world of a difference for IT administrators and free up bandwidth for other high-priority projects.
3. "You do your thing, and I'll do mine."
Many modern companies integrate with distributed third-parties, through APIs and plug-ins, to acquire and share content within their web applications. While these business-critical partnerships promote efficiency, they introduce new security risks: organizations cannot trust incoming content and how it may impact their customers.
In 2012, 51% of all attacks were initiated through third-party applications. Today's open, interwoven web ecosystem and sharing culture means that nobody is isolated. Your application and users out there are vulnerable to attacks that span multiple web applications.
4. Blacklists are the only way to approach web application security.
The blacklist approach will always be defeated, as it only defines a finite number of terms in an environment with infinite complexity. It is virtually impossible to anticipate all future attacks as part of an exhaustive list. Hackers have an infinite amount of time to craft a new attack while blacklist-based security solutions only have a split second to react. If the attack is new, otherwise know as zero-day exploit, it will by-pass definition-based security, such as WAFs.
A more flexible and efficient way to prevent these zero-day exploits is to understand how content and users behave within the context of the application. If you understand content and users' behavior as it happens, you can identify and accept what behavior and content you want to allow. Everything else will be blocked, whether it is a known attack or a new one.