.png)
In this podcast, Vikas Phonsa, Director of Product Management, Web Application Firewall, Qualys, talks about the application security space in general, the challenges of securing web applications and how the comprehensive applications security portfolio offered by Qualys can help the security teams by simplifying application security.
Here’s a transcript of the podcast for your convenience.
My name is Vikas Phonsa, I’m the Director of Product Management for Application Security at Qualys. Today we’re going to talk about the application security space in general, the challenges of securing web applications, and finally how the comprehensive applications security portfolio offered by Qualys can help the security teams by simplifying application security.
So, Qualys platform consists of application scanning solution and a web application firewall. And these two solutions allow you to not only detect security vulnerabilities in your applications, but also allow you to actually patch those vulnerabilities. Now, let’s look at what makes application security complicated in general.
If you look at the industry-leading Verizon data breach investigation report for 2016 and 2017, you will find that web applications were the number one sources of data breaches two years in a row. So while a lot of focus is put on security networks and endpoints, let’s not forget about securing your web applications. And in today’s connected and Internet-driven world, web applications have become extremely important part of the business world. Whether you’re shopping online, booking travel or just ordering a taxi from your phone, a web application is pretty much involved in those transactions and it’s extremely important to protect those applications and keep the data of your customers and end-users secure.
Data breaches, when they happen, of course erode your customer’s confidence in your business and allow your competitors to gain market edge on you, and besides that IBM and Ponemon Institute have now actually quantified the costs of data breaches. In the United States, every customer data record that gets breached costs businesses upwards of $221. Overall, the cost of a data breach incident can go upwards of $7 million. So there’s a huge cost associated with data breaches, and as we discussed earlier, a lot of these data breaches are happening through the exposure of your web applications.
Now, let’s look at some of the challenges involved in securing web applications. So, first one is just the sheer number of applications that most businesses have. Large companies can have hundreds of web apps and sometimes they don’t have a complete inventory of those applications. And you cannot secure an application that your security team does not know about. Also, all those applications could be using different technology, programing languages and frameworks, and each might have different security requirements. On top of that, the threat landscape is changing on a daily, if not hourly basis. New vulnerabilities are disclosed very often and it is not easy to keep track and manage and patch those vulnerabilities. Finally, companies often have to use many different security systems or tools that don’t necessarily integrate or play well with each other. A combination of all of these factors make application security quite complicated.
Now, let’s discuss how these challenges can be addressed. One of the frameworks that is gaining a lot of traction in the security world is called application security lifecycle. This is quite similar to your traditional software development lifecycle or SDLC. SDLC provides guidelines to development teams on how to manage different aspects and stages of software development and these stages typically include your development stage, your QA, or quality assurance, or testing phase and your application being deployed in production. And SDLC provides guidelines that help development teams detect issues early on in their development cycle because it’s very costly to fix bugs in production.
Application security lifecycle takes very similar approach but in the domain of security. So it provides guidelines for your security teams and your development teams to not only discover security vulnerabilities and issues early on in the development stages, but also gives you recommendation to do something about vulnerabilities should you become exposed to those when your application is deployed in production. Cause it’s very common for new zero-day exploits and vulnerabilities to emerge in the technologies that you’re using, so you need tools that empower you to handle those vulnerabilities in production. This is where Qualys’s application security portfolio comes into picture also. Our web application scanning solution acts as a client on a browser, and it tests your application for vulnerabilities and produces actionable reports. Web application firewall on the other hand does real-time inspection of your activity traffic and can block any requests that contain malicious payloads and attacks such as secret injection cross-scripting and other variations.
When you’re in the development and quality assurance stages of your application security lifecycle, web application scanning will empower your engineering teams to run automated scans so they can detect vulnerabilities early. When your application goes into production, web application scanning can still be used to continuously scan all the web applications for vulnerabilities, also the web application firewall or WAF empowers you to actually patch those vulnerabilities or zero-day exploits that your application might be exposed to. By virtually patching these applications and vulnerabilities in WAF, you are protecting your apps from attacks while you work at the level of your application or your web servers to patch those and fix issues.
A real-world example of this whole scenario is the Apache Struts vulnerability that was disclosed earlier this year. This was an extremely critical vulnerability and it allowed attackers to send malicious characters in the content type header of HTTP requests, and basically mount remote code injection attacks and take over your web servers. The customers who were using Qualys WAF were fully protected against this vulnerability because WAF can inspect the content type header and only allow legitimate values of those headers. Anything else, any other malicious characters that have no business being in the content type header values to begin with would be rejected by our WAF. So this is a real-world example where Qualys application security platform have protected our customers.
Out of the box, the web application firewall has policies to protect you against several categories of the OWASP top ten security risks. It also allows you to create custom rules, which are very specific to address specific vulnerabilities in your applications and a wide variety of attributes and request parameters can be used to create those custom rules. These rules also support regular expressions, so you can get quite creative in terms of the rules that you create.
Finally, let’s talk about the road map for the application security portfolio at Qualys. On the web application scanning side, our primary goal this year is to improve coverage and include content management systems and rest-based APIs. With the IoT and mobile revolution going on in the technology world, rest-based APIs and microservices have become a very important part of technology infrastructure. So, we’re going to focus on detecting vulnerabilities in those APIs. We’re also looking to improve the scalability of our web application scanning solution and to integrate it with other tools that customers use in the software development lifecycle process.
On the other hand, on the WAF side we’re looking to build an API ecosystem which will let you configure web application firewall and the various security configurations in an automated fashion. We’re also looking to protect the microservices and rest-based APIs that our customers have and finally we’re also looking to build protections against application-layered DDoS attacks which are also gaining a lot of traction and doing a lot of damage to our customer’s websites out there.
Thank you very much for listening, and if you need more information, please visit our website at www.qualys.com. Thank you!
from Help Net Security http://ift.tt/2sZySIZ
0 comments:
Post a Comment