A comprehensive solution for application security in the Cloud

Application threats are constantly evolving.

October 31, 2012

Application threats are constantly evolving. Recent international high-profile Internet attacks on organisations prove that no one is immune and perpetrators are extremely organised, skilled, and well-funded. The attacks are multi-layered and constant, and seek not only to deface a website, but to steal valuable data. Customer data, intellectual property and other highly sensitive information are the top targets.

Many organisations do a decent job of securing their infrastructure components, but are challenged when it comes to securing their web applications, whether they are hosted in house, in a cloud environment, or both. The majority of security breaches are the result of web application attacks which can cost companies significant amounts of money and seriously damage brand reputation. In addition to financial losses, an organisation may also have to address compliance and legal issues, public scrutiny, and loss of trust among shareholders and customers.

It’s clear that protecting applications, while still making them highly available to valid users, is critical to the lifeblood of an organisation. In response to these evolving challenges F5 has released F5 BIG-IP Application Security Manager (ASM) version 11, which provides the application protection organisations require to block evolving threats, no matter where the applications are deployed in today’s dynamic environments. BIG-IP ASM is a high-performance, ICSA-certified web application firewall (WAF) that provides a strategic point of control within the infrastructure from which enterprises can dynamically adapt to changing conditions to securely deliver crucial applications.

“Companies often grapple with how to secure their applications in the cloud, especially when they are unable to deploy their own security appliances and must rely on the provider’s solutions, which may leave organisations vulnerable and potentially liable for failing to meet regulatory requirements,” says F5 Senior Systems Engineer, Martin Walshaw. BIG-IP ASM is available in a Virtual Edition (BIG-IP ASM VE), which delivers the same functionality as the physical edition and helps companies maintain compliance when they deploy applications in the cloud. “If an organisation discovers an application vulnerability, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organisations to immediately virtually patch vulnerabilities until the development team can permanently fix the application. Additionally, organisations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with BIG-IP ASM VE, organisations have full control over securing their cloud infrastructure,” explains Walshaw.

BIG-IP ASM is designed to block all known web application vulnerabilities including the OWASP Top 10, which includes attacks like XSS, SQL injection, and cross-site request forgery (CSRF). AJAX, which is a mix of technologies (Asynchronous JavaScript and XML), is becoming more common within enterprises as it allows developers to deliver content without having to load the entire HTML page in which the AJAX objects are embedded. Unfortunately, AJAX code can allow an attacker to modify the application and prevent a user from seeing their customised content, or even initiate an XSS attack. Additionally, some developers are also using JSON (JavaScript Object Notation) payloads, a lightweight data-interchange format that is understandable by most modern programming languages and used to exchange information between browser and server. If JSON is insecure and carrying sensitive information, there is the potential for data leakage.

“BIG-IP ASM v11 can parse JSON payloads and protect AJAX applications that use JSON for data transfer between the client and server. F5 is the only WAF vendor that fully supports AJAX, which is becoming more common even within enterprises. An organisation should only buy a WAF that can handle AJAX, because even if it isn’t currently using AJAX, it certainly will be in the near future,” says Walshaw.

Coding script is not the only thing to worry about when considering online security threats. Threats can come from a variety of sources, including malicious hackers, unscrupulous users, and valid users. File upload forms and users uploading their own files can pose a significant risk to applications. Often, the first step in attacking a system is to insert code into the system and have it execute. File uploads can actually help an intruder accomplish this, enabling attackers to deface a website, introduce other vulnerabilities like XSS, add a phishing page to the website, or even upload a file in hopes that the IT administrator launches it.

In BIG-IP v10.2, F5 introduced antivirus inspection using a remote device via the Internet Content Adaptation Protocol (ICAP). This was only applied to files uploaded using HTTP multipart transactions, like when a user fills out a browser form or includes file attachments and sends the entire message to a server. With BIG-IP v11, BIG-IP ASM will now extract every file upload and send it to an antivirus scanner for inspection. BIG-IP ASM can inspect file uploads via HTTP, as well as files that are attached to SOAP or transactions that are embedded in XML documents and every file upload within a multi-part request.

Managing compliance is yet another daily consideration for IT. Organisations need an at-a-glance, up-to-the-minute view of their regulation requirements. While IT departments might have a grasp on it within their own environments, compliance in the cloud can still be a significant hurdle. BIG-IP ASM is the first product to offer integration between a vulnerability assessment tool, WhiteHat’s Sentinel, and a web application firewall. The WAF provides the web application protection while scanners provide insight into application vulnerabilities. The BIG-IP ASM and WhiteHat Sentinel combination enables organisations to quickly scan their applications for vulnerabilities and virtually patch them with the press of a button, closing the gap between vulnerability checking and detection, and remediation and protection.

“Overall, F5 BIG-IP ASM v11 is the most comprehensive WAF on the market. The virtual edition is cloud-ready, offering flexible deployment and cloud security for virtualised applications,” concludes Walshaw.