This post is from the Arxan blog and has not been updated since the original publish date.
Traditional Security Measures Aren’t Enough in Today’s Zero-Trust World
Why you need app protection in front of a WAF and other traditional security solutions
Every few years a new security technology comes along that is the answer to everyone’s prayers to address the latest security issue. Endpoint protection and firewalls were originally the ultimate security 1-2 punch, until mobile and cloud technology came along, minimizing the effectiveness of network firewalls and essentially blowing apart “the perimeter.” Then it was network security, DDoS protection, IPS, mobile security, NGFW, WAF, and more. As technology evolves, new attack surfaces emerge, and new security tools are needed. So where does that leave us today?
Applications Have Evolved, Therefore Security Needs To As Well
“There’s an app for that” really has changed the way organizations connect and interact with customers, partners and employees. But, as with most things, no good deed goes unpunished. As organizations make access to goods and services easier and quicker, applications have taken center stage as the primary way to connect — regardless of the device or location of the user — apps are essentially the new “endpoint”. And, in order to improve performance, responsiveness and a seamless customer experience, more logic now sits on the client side of an application today — including the structure of the application, API endpoint references, payload formats, and cryptographic keys.
The Anatomy of a Web App Attack
The next step for an attacker is to force a dynamic app analysis using a debugger. Note, nothing bad is happening here (yet), other than some reconnaissance being done to try to find an app vulnerability. Once identified, the attacker can attempt to tamper with the code to change the behavior of the app, or to skim data that a customer may enter into the application (i.e. user credentials). The problem for organizations is that traditional security tools will not pick up this suspicious activity because it happens at the application layer, in the browser, before a WAF or other traditional security solution is even engaged.
A WAF And Traditional Security Defense Are Too Late
Many people believe that a WAF is all you need to protect web applications from threats. In reality, a WAF is only part of the solution. It is designed to protect servers from malicious activity, bad network traffic and a whole host of other inbound network-based threats including:network protocol attacks, denial of service attacks, XSS, SQL injection (OWASP top 10 web attacks), and dynamic application attacks.
But, as seen with recent web-based application breaches at British Airways and Ticketmaster, even if a WAF was in place and properly configured, it would not have been able to prevent these breaches because it was too late. Magecart attacked the application code on the front end, and exfiltrated data before it even reached the network traffic layer to engage the WAF. It is also very difficult for a WAF to provide protection against a targeted API attack. Protecting the application code is needed to ensure exposure of the API is minimized against threats.
How Web Application Protection Gets Ahead of Threats
Implementing a web app protection solution is the answer to your front-end web app security problem. Arxan for Web allows organizations to address client-side threats to web applications before they can be used to compromise critical back office assets.
Not to sound like a broken record, but layered protection really is the key to getting security “right.” Security technologies are designed to protect against different types of attacks and there is no “one-size-fits-all” approach for organizations. As bad actors continue to push the boundaries and identify new frontiers to exploit, organizations need to be on the cutting edge and ensure their critical assets are protected. Traditional security techniques cannot stop today's application attacks because by the time they are triggered, the attacker is long gone with your customer’s critical information. Contact us to find out how Arxan for Web can help.