HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

Application Security? But I Have a WAF!

by / Wednesday, 22 April 2020 / Published in Hacking
Share
Tweet
Pin
0 Shares

Originally posted on 12/28/2016

It seems so tempting. Solve your application security problem by throwing an appliance at it. After all, if web applications are the most common form of attack, why not just protect them the same way you protect your network and email servers, and be done with it? Why should you spend timeツ?hunting down vulnerabilitiesツ?in your code and figuring out how to fix them?

The ???appliance throwing??? approach would be viable if web application firewalls (WAFs) were perfect, but protecting your app layer with only a WAF leaves a lot of holes. WAFs, at their heart, are black-box protection technologies that rely on inspecting incoming traffic for known attack patterns ??? and that???s often not enough. There are circumstances where WAFs will leave you vulnerable to attack, for instance:

ツ?

Missed attack due to new patterns

A WAF tries to use known attack patterns to protect an application. It can be tuned via writing rules, but attackers are coming up with new patterns all the time. In fact, creating WAF bypasses is something of a cottage industry for security researchers, to the point thatツ?you can download cheat sheets for creating WAF bypasses from security researchers like @Pentestit_ru and @themiddleblue, the editor-in-chiefツ?from 1337pwn, or the well-known OWASP foundation.

And that???s not even including the risk of new vulnerability categories. Veracode Community member Mark Merkow from HealthEquity notes, ???Even if a WAF is configured 100 percent correctly and catches and stops attacks it knows about successfully and every time, it’s still at risk for letting new attacks through, including zero-day attacks. With Web Services and API communications as the most likely future form for all apps, WAFs will become less and less useful. What will survive in this new world are well-written, high-quality, resilient applications that can stand up to endless attacks.???

ツ?

Missed attack due to application changes

Based on the results of a penetration test or other evaluation of an application, you can make a WAF very accurate by creating rules that focus on specific input fields and types of vulnerability. However, you have to maintain these rules every time the application is changed. The SANS Institute notes, “During the WAF deployment, everyone involved understands exactly which form fields and inputs are vulnerable and to which attack categories but, over time, this knowledge fades.ツ?Many organizations lack the in-house expertise to conduct penetration tests every time they change the web application or WAF configurationツ?(and miss the opportunity to ensure a vulnerability was not introduced).???

SANS issued this report over five years ago. In the intervening years, the frequency of application updates has only gotten higher thanks to increased adoption of agile software development and DevOps. This means that the window of time during which a WAF configuration should not require updates due to application changes has dramatically decreased.

ツ?

Missed attack due to configuration complexity

The same SANS report notes that it???s not uncommon for WAFs to be extended to cover more applications than they can handle, to fail under high load, or to have a high number of false positives. For this reason, some organizations configure their WAFs to alert only in the event of a potential attack, rather than try to block it ??? which means that a successful attack will likely be missed in the midst of other alerts from the WAF.

There are definitely still benefits to deploying WAFs, including avoidance of denial of service attacks and???when properly configured??? some protection against an attack. If nothing else, they slow an attacker down.

ツ?

No application security silver bullet

Effective application security requires multiple technologies that protect apps in different ways and in different stages of their lifecycle. As Veracode Community member, Glico Man, said in a recent comment, ???WAF is a ???safety net??? and may provide ???virtual patching??? until the application code is fixed??ヲ A well-configured WAF will provide more time for a developer to fix their code.???

If you???re going to use a WAF, you won???t be protecting your products from attack indefinitely. So use the time a WAF gives you wisely; figure out where the underlying vulnerabilities are in your application and fix them. For instance, consider an automated application security solution that integrates into your SDLC, allowing developers to find and remediate security-related defects early in the development process.

ツ?

Cyberattackers are increasingly focused on the application layer; it???s critical to understand both how this layer is being exploited, and which solutions protect it most effectively. To learn more about application security solutions and where to start, check out the Ultimate Guide to Getting Started With AppSec or visit the Veracode Community page. ツ?

Application Security Research, News, and Education Blog

Share
Tweet
Pin
0 Shares
Tagged under: Application, Security

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

Choose the product you need here!

  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING WITHOUT ROOT UNIQUE IN THE WORLD WITH ALL THE APPS !!! 499,99€ 249,99€
  • HACKER LIBRARY THE LARGEST COLLECTION OF BOOKS AND MANUALS ON HACKING + 100 !!! 99,99€ 49,99€
  • HACK SOCIAL THE GUIDE TO HACK ALL THE SOCIAL ACCOUNTS 99,99€ 49,99€
  • HACKER PACK FOR YOUR SMARTPHONE AND YOUR TABLET WITH ROOT GUIDE AND + 100 PROGRAMS !!! 99,99€ 49,99€
  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING UNIQUE IN THE WORLD WITH ALL THE APPS !!! 599,99€ 299,99€
  • HACKER PACK FOR YOUR COMPUTER AND NOTEBOOK + 1000 PROGRAMS 5 GB OF STUFF !!! 99,99€ 49,99€

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

Search on the site

Latest posts

  • Veracode CEO on the Relationship Between Security and Business Functions: Security Can’t Be Effective in a Silo

  • Half a million stolen French medical records, drowned in feeble excuses

  • Google looks at bypass in Chromium’s ASLR security defense, throws hands up, won’t patch garbage issue

  • Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers

  • Imperva pretty adamant that security analytics aggregator product Sonar is not ‘one dashboard to rule them all’

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP