Don’t Be Fooled by the Illusion of Security

2015-06-10

Ľuboslav Tileš, Sales manager ANASOFT

If you neglect 3 basic rules, even the best quality security appliance will not protect your web from cyber risks

ANASOFT is ready to protect you "family jewels"Internet, except at its very beginning when it operated only in the academic environment, has never been a completely secure place. However, recently the number and diversity of internet threats and risks are growing. As a result, the need to protect data, financial transactions or “just” the availability of web service and thus also the company’s reputation and good name is also increasing.

Many managers are aware of the Internet risks that lurk in their company web. Therefore, more conscious IT departments are gradually giving up the illusion of bullet proofness which the deployment of a web application firewall can create. These are appliances “inserted” between the web server and Internet which protect electronic shop or bank webs, and its popularity is growing. 

A quality web application firewall can be extremely effective in protecting web applications against Internet threats (e.g., against an attempt to congest a web and put it out of operation or to hack the site and steal data). It can use a combination of several techniques for protection.

For example, its draws information from the constantly updated database of IP addresses from which the attacks are just in progress or first of all, it strives to recognize the protected application.  To put it simply, the application permanently examines, analyzes what is normal in terms of its logics and what is not thanks to which it can prevent even unknown types of threats.   Moreover, it can adapt to changes.  For example, if you update and change the application, the web application server adapts to these changes and automatically adapt to its new functionality.

However, an IT security never consists just of one layer and it is definitively not enough to focus on just one of them.

Here are 3 things which you should pay attention to before deploying a web application firewall (WAF)

  • The security of the web application should be considered when designing its architecture, when choosing the platform and during development when errors and vulnerabilities frequently occur. In other words, a web application should be designed to work in the best possible way but without being “leaky” or vulnerable. Not all designers stick to this philosophy.

  • Programmers are also humans who frequently get too involved in their work. Then, when debugging and testing an application, they can lack the necessary distance; for this reason, it is useful to do the code revision after the development of such application and to have the safety risk assessed by a third party. Outsourcing a company is not always necessary; sometimes the control can be done by a different programmer or development team.

  • Penetration tests are the third building block for a well secured web. Tests must be done regularly and fairly frequently. Sometimes in an effort to save money, some companies do not carry out penetration tests quarterly, but only once a year, although they update the web application four times. However, Internet threats change from day to day and the task of penetration tests is to reveal the risks arising from new heretofore undetected threats.

If your web application is well designed, developed and audited, the WAF is the cherry on top that will help you to minimize the risks of data leak or abuse, or the inaccessibility or modification of your web or compromising financial transactions which you provide online. Remember, there is no such things as 100 % protection – you must always seek the optimal balance between security (and related costs) and potential risks.