Stay on top of Web application attacks, urges F5
Organisations at risk from web application attacks in the cloud, warns F5 Networks
Businesses need to stay on top of the growing and increasingly complex web application attacks happening in the cloud, according to Lori MacVittie, principal technical evangelist at F5 Networks.
Speaking ahead of the 2015 Abu Dhabi e-Crime and Information Security Summit, MacVittie said that organisations were pushing ahead with the advancement of applications without giving enough thought to the security around newly developed applications.
"We rely on applications for just about everything we do these days, and yet when we mention security we never seem to remember it," she said.
"It's really about time we start paying more attention to application security, and not just data security or network security or encrypted communications. That means we need to pay more attention to securing applications against exploitation and attack. From the platform (the web or app server) to the protocols (TCP and HTTP) to the actual code itself, we need to scan and scrub and discover and defend against the myriad methods used by attacks to exploit the entire application stack."
According to F-Secure Labs, web application attacks doubled in frequency from under 20% in 2012 to 40% in 2013. Last year, Neustar found that 55% of DDoS targets experienced smokescreening - volumetric DDoS as a cover for the real, application layer attacks - with nearly 50% having malware/virus installed and 26% losing customer data.
"Application attacks are a real and significant threat, especially as they migrate to the cloud where fewer options for protecting them may be available," said MacVittie.
"The native services available in the cloud focused on security are all about access and encryption. None of them are ‘application layer' security and none provide the coverage necessary to inspire confidence in withstanding an attack designed to disable, corrupt or exfiltrate data by exploiting the application itself."
MacVittie explained that the best way forward is for businesses to protect applications and the data they responsible for handling in the cloud much as they do in the data centre. This may include a cloud-enabled WAF (web application firewall), or WAF as a Service, or "at a minimum" a thorough application of the best practices recommended by the Open Web Application Security Project on every application deployed in the cloud.
"Cloud security may be viewed as a shared responsibility, with the provider and the customer taking on the chore of different aspects of securing ‘the cloud' but application security is 110% the responsibility of those that put the applications in the cloud in the first place," she said.
"Application security isn't like an expensive bodyguard. It's not something that only the VIP apps get. It's more like personal security, and it's something every application that presents itself in public should have. And that's true whether those apps are in the data centre or in the cloud."