profile

Web Application Firewalls – Essential For All Websites

As we enter the dawn of a web generation, there is an awful lot of stress upon web security being vocalized everywhere. Hearing the same thing over and over again can get old. We hear about how important web security is without really being told what that means. This leads to frustration and exhaustion on a vague though overwhelming complex subject. But we must still bear with the security soap-box fanatics, and I begrudgingly agree. Why? Because web security is that important.

I began to ponder carefully and realized in today’s society, there isn’t a thing that happens that’s not somehow tied in with the internet. Why does the world seem to view web security as insignificant and neglect its necessity? Regrettably, I already have the answer to this. “Internet safety” has yet to be defined properly.

“So then, what is internet safety?”

…you might ask. There are things of this world that are deemed vital yet at the same time, reasons for it are unclear and misunderstood. Information and Communications Technology (ICT) security would fall into this category.  Since everyone would state their definition of ICT security vested in their own interests, there is a call for a standardization of this definition. One that considers everyone’s opinion and takes what is in the best interests of all to create a regulated set of rules. Among others, the International Organization of Standards is a world-renown and well-established organization of such order. Their ISO 27001 contains 10 clauses. It also has a detailed annex section which outlines the requirements for an organization to be certified as an Information Security Management System (ISMS).

It is logical to follow up with a question such as, “Is there an international standardizing body for internet safety?” And there is. The Online Trust Alliance (OTA) is a non-profit organization whose mission is to enhance online trust and empower users. They do this while promoting innovation and the vitality of the internet. Since 2008, the OTA has released its annual Online Trust Audit and Honor Roll. This report contains a comprehensive audit of a site’s best practices in brand and consumer protection, security and privacy. Nearly 1,000 sites expanding over a broad range of sectors including banks, retailers, social, media, news, government, and IoT were evaluated. The selected sites are leaders in their respective fields and/or members of the OTA. The Honor Roll represents those who score high enough to meet the evaluation criteria.

Who made it?

44 percent of all sites made the honor roll this year. This is a marked improvement in comparison to only 30 percent from the previous year. Unfortunately, 46 percent failed to protect consumers and their data from harm and online threats. The site with the highest score went to Twitter. This made it their 3rd consecutive year to receive the top overall award.

One important highlight to the 2015 report was the addition of awarding bonus points to sites that use a Web Application Firewall (WAF) like Cloudbric in the Site, Server, and Infrastructure Security category. The core essence of WAFs is to provide websites protection from malicious attacks. WAFs also detect malware and prevent it from affecting web servers and cover known vulnerabilities in the security architecture where data can breached, therefore making them an effective and efficient security measure. Overall, 35 percent of the sites had a WAF, led by Internet retailers and government organizations at 47 percent and 46 percent respectively. OTA has considered upgrading the bonus points for sites having a WAF to base points for 2016 because of the potential role it plays the ever changing security landscape.

Cloud WAF

If this is the case, why not try out cloud WAF services. It only takes a few steps to set up and it’ll be the same as if an appliance WAF has been installed. With just a few mouse clicks, it can protect your entire ICT security from almost 90% of all attack types. It can prevent website hacking, data leakage via the web, unauthorized access, and website falsification. Since it is a security as a service, not only is there no additional hardware maintenance fees, there are no service charges for the use of cloud-based WAF. In other words, it’s free. When traffic grows for your website and your company begins to scale, WAF will scale along in size and then begin to charge a fixed rate based on use.

What would be the most important job in website security? Based on my experience over the years, I’d say it’d be the administrator’s ability to adequately monitor web traffic. It is essential to keep up with the ever daily changing web attack trend analysis.  Continuous monitoring of the website logs helps maintain a safe and secure website. If functions are fast and performance is excellent the admin console is difficult to use, it’s all pointless. It is exactly for that reason, I’d like to recommend to you Cloudbric. Designed around WAPPLES, the WAF from enterprise IT security company Penta Security, cloud-based WAF service, Cloudbric includes several key features including an intuitive dashboard that far surpasses those of competing service products. I can’t emphasize enough, the core of web security is the ability constantly monitor traffic.

It’s never too late

As the company grows, so will its website, and for whatever the reason, all web-related equipment will need to be directly supervised. When that happens, it’s not too late to introduce a hardware WAF appliance. Because they are based on the same technology, it won’t make your work any less efficient. Simply think of both as the same thing. Making the switch from one to the other will be a smooth process. If you do plan to make a transition from Cloudbric’s services to a hardware WAF, do use WAPPLES. Your system will never noticed it made a change from Cloudbric’s cloud based services to the WAPPLES appliance, allowing you to continue work without interruption.

If the plan is to use a hardware WAF from the beginning, again, I recommend WAPPLES. The logic engine powering WAPPLES is definitely required for today’s web standards. Until now, detection has been forced to rely on signature based technologies which use a list labeling how safe or dangerous requests are. However, in this era of IoT, the web has expanded exponentially. The size of web traffic will increase to soaring levels. How can we rely on a list determine whether each and every bit of that immense web traffic is safe, dangerous or ambiguous? It’s impossible. This is where a logic based engine which can analyze traffic for malicious behavior and block these threats before they have any effect comes in handy.