<iframe src="//www.googletagmanager.com/ns.html?id=GTM-KXSCJR" height="0" width="0" style="display:none;visibility:hidden">

Debunking the Top 4 Myths of Web Application Security

Kunal Anand on Apr 7, 2014

4iDnRbhRayDf4Y5461Z9_Caroline_Gutman-7248 photo by sylwia bartel

Despite efforts to incorporate security into the web application, enterprises find themselves forced to take shortcuts, so they can address other security projects. Meanwhile, user content continues to be unprotected, resulting in fire drills between the web developers and security team. We've highlighted a few myths that top security experts and leaders have shared with us to debunk common misconceptions of web application security:


1. Security on the edge, using a Web Application Firewall (WAF), is all I need.

90% of all security vulnerabilities happen at the application layer and thousands of new attacks emerge every day. Web applications are the weakest security point for many enterprises, and when compromised can lead to potential data breach, network breach, identity theft, brand defacement and ultimately financial loss. Web Application Firewalls (WAFs) and other traditional reactive approaches are not keeping up - lending only a false sense of security and additional network latency. 

WAFs rely on past definitions of known attacks, so they are always out-of-date and cannot prevent zero-day exploits or fuzzed hacks. Since web applications are dynamic, it often takes a lot of time and money to configure a WAF to reduce false positives and keep definitions up to date.


2. In-house security teams can build solutions to protect from all new threats.

In order to stay ahead of hackers, security solutions must be constantly updated and maintained. Homegrown solutions are mostly designed to address a few use cases and are based on a limited sample of current or past attacks. This also assumes that the in-house security and web development team have the know-how and time to service multiple web applications to keep up with the ever-changing vulnerability classes. 

They're all discovering that pricey firewalls, code reviews, audits and penetration tests are unsustainable. An intelligent, seamless and low-maintenance solution can make a world of a difference for IT administrators and free up bandwidth for other high-priority projects.


3. "You do your thing, and I'll do mine."

Many modern companies integrate with distributed third-parties, through APIs and plug-ins, to acquire and share content within their web applications. While these business-critical partnerships promote efficiency, they introduce new security risks: organizations cannot trust incoming content and how it may impact their customers. 

In 2012, 51% of all attacks were initiated through third-party applications. Today's open, interwoven web ecosystem and sharing culture means that nobody is isolated. Your application and users out there are vulnerable to attacks that span multiple web applications.


4. Blacklists are the only way to approach web application security.

The blacklist approach will always be defeated, as it only defines a finite number of terms in an environment with infinite complexity. It is virtually impossible to anticipate all future attacks as part of an exhaustive list. Hackers have an infinite amount of time to craft a new attack while blacklist-based security solutions only have a split second to react. If the attack is new, otherwise know as zero-day exploit, it will by-pass definition-based security, such as WAFs. 

A more flexible and efficient way to prevent these zero-day exploits is to understand how content and users behave within the context of the application. If you understand content and users' behavior as it happens, you can identify and accept what behavior and content you want to allow. Everything else will be blocked, whether it is a known attack or a new one.




Back to blog

Kunal Anand

Kunal Anand is the co-founder and CTO of Prevoty, a next-generation web application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.

Find me on:

Topics: WAFs, Application Security