Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Oct 17, 2018 — Application Security expert

Traditional Security Measures Aren’t Enough in Today’s Zero-Trust World

Application Security

Why you need app protection in front of a WAF and other traditional security solutions

Every few years a new security technology comes along that is the answer to everyone’s prayers to address the latest security issue. Endpoint protection and firewalls were originally the ultimate security 1-2 punch, until mobile and cloud technology came along, minimizing the effectiveness of network firewalls and essentially blowing apart “the perimeter.” Then it was network security, DDoS protection, IPS, mobile security, NGFW, WAF, and more. As technology evolves, new attack surfaces emerge, and new security tools are needed. So where does that leave us today?

Applications Have Evolved, Therefore Security Needs To As Well

“There’s an app for that” really has changed the way organizations connect and interact with customers, partners and employees. But, as with most things, no good deed goes unpunished. As organizations make access to goods and services easier and quicker, applications have taken center stage as the primary way to connect — regardless of the device or location of the user — apps are essentially the new “endpoint”. And, in order to improve performance, responsiveness and a seamless customer experience, more logic now sits on the client side of an application today — including the structure of the application, API endpoint references, payload formats, and cryptographic keys.

The Anatomy of a Web App Attack

Unfortunately, secure app development processes have not evolved fast enough, leaving apps and users exposed. For web applications, many of which are written in JavaScript, this means critical information is sitting out in the open, unprotected. If you look at web applications from an attacker’s perspective, the first step in determining where the vulnerability lies is static app analysis — can the attacker easily read the code and find any interesting information? In some cases critical information is hard coded into the app — like the inadvertent disclosure of sensitive configuration data or the encryption keys to unlock the application.

The next step for an attacker is to force a dynamic app analysis using a debugger. Note, nothing bad is happening here (yet), other than some reconnaissance being done to try to find an app vulnerability. Once identified, the attacker can attempt to tamper with the code to change the behavior of the app, or to skim data that a customer may enter into the application (i.e. user credentials). The problem for organizations is that traditional security tools will not pick up this suspicious activity because it happens at the application layer, in the browser, before a WAF or other traditional security solution is even engaged.

A WAF And Traditional Security Defense Are Too Late

Many people believe that a WAF is all you need to protect web applications from threats. In reality, a WAF is only part of the solution. It is designed to protect servers from malicious activity, bad network traffic and a whole host of other inbound network-based threats including:network protocol attacks, denial of service attacks, XSS, SQL injection (OWASP top 10 web attacks), and dynamic application attacks.

But, as seen with recent web-based application breaches at British Airways and Ticketmaster, even if a WAF was in place and properly configured, it would not have been able to prevent these breaches because it was too late. Magecart attacked the application code on the front end, and exfiltrated data before it even reached the network traffic layer to engage the WAF. It is also very difficult for a WAF to provide protection against a targeted API attack. Protecting the application code is needed to ensure exposure of the API is minimized against threats.

How Web Application Protection Gets Ahead of Threats

Implementing a web app protection solution is the answer to your front-end web app security problem. Arxan for Web allows organizations to address client-side threats to web applications before they can be used to compromise critical back office assets.

Arxan delivers the only web protection capable of alerting the business if an application’s code is being attacked or analyzed — leading indicators of future API attacks or the creation of targeted malware. In addition to providing a range of code obfuscation techniques — making your JavaScript incredibly hard to understand by an attacker — Arxan added Threat Analytics to its web protection to send real-time threat data alerts. With the added ability to understand if your web apps are being attacked, businesses can now update protections in real-time stopping API attacks before they can start. Threat Analytics can also provide advanced warning and help disrupt attackers looking to create targeted malware to execute man-in-the-browser attacks. Arxan for Web is also straightforward to integrate with development operations by protecting web apps via on-prem or cloud based solutions.


Not to sound like a broken record, but layered protection really is the key to getting security “right.” Security technologies are designed to protect against different types of attacks and there is no “one-size-fits-all” approach for organizations. As bad actors continue to push the boundaries and identify new frontiers to exploit, organizations need to be on the cutting edge and ensure their critical assets are protected. Traditional security techniques cannot stop today's application attacks because by the time they are triggered, the attacker is long gone with your customer’s critical information. Contact us to find out how Arxan for Web can help.

More from the Blog

View more
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Jun 05, 2020

In Plain Sight II: On the Trail of Magecart

Application Security
On the surface, the breaches that impacted British Airways, Ticketmast ...
Read More
Jun 02, 2020

Here Comes CCPA

Application Security
  Ready Or Not, Here It Comes! As of publication, there are 147 ...
Read More
May 27, 2020

Application Security: Testing is NOT Enough

Application Security
In the software development world, developers are faced with a break ...
Read More
Contact Us