GUEST ESSAY: Only cloud-based security can truly protect cloud-delivered web applications

By Vivek Gopalan

Web applications have become central for the existence and growth of any business. This is partly the result of Software as a Service, or SaaS, becoming a preferred mode of consumption for software services.

Related: AppTrana free trial offer

Most companies today own a web application and if that application is an integral part of their business, then they cannot afford to think of website security risk as an afterthought.

In a lot of cases, pure SaaS vendors such as an online e-commerce company, the website/app itself is the reason for the existence of the business. And, increasingly,  their customers are questioning them about the security of sensitive personal and business data.

This rising trepidation, with respect to web app security, should come as no surprise. Technology research firm Gartner estimates that over 70% of security vulnerabilities exist at the application layer – and 75% of security breaches happen at the application layer.

Meanwhile, the National Institute of Standards and Technology says that 92% of reported vulnerabilities are in applications, not networks; and NIST pegs the cost of fixing such bugs in the field at $30,000 vs. $5,000 if the bug is fixed during coding.

The speed factor

There is compelling rationale for companies to take proactive steps to continually improve web application security. For one, compliance with standards, such as section 6.6 of Payment Card Industry Data Security Standard, requires either secure code review or deployment of a Web Application Firewall (WAF.)

Gopalan

A more fundamental driver is the fact that speed is of the essence for companies today. As new software gets pushed out on the fly, this velocity tends to create fresh attack vectors. Threat actors recognize this, and they’ve become proficient at quickly spotting fresh flaws in new applications — and exploiting them.

The technology community has responded with efforts to push security reviews earlier and deeper in the development cycle, with efforts such as SecOps asnd DevSecOps. That said, it remains vital for companies to take proactive measures to address web app flaws in the field, as well.

Given speed is of the essence for companies today, cloud-based security solutions are well-suited to addressing complex, fast-evolving exposures. And in the WAF space, one such cloud-based solution that accounts for the velocity of doing business in today’s digital environment is AppTrana by Indusface.

Dynamic mitigation

AppTrana is a fully-managed SaaS-delivered WAF that uses automated and manual scanning to look for common security issues, as well as deeper business logic vulnerabilities. Results are made visible in a common, centralized dashboard.

It is not uncommon for WAFs to come with out-of-the-box rules that don’t correlate well to specific applications. Often, there is scant support provided to tweak rules and update them based on the application context.

AppTrana has been designed to address this pain point —  by pre-bundling a comprehensive and flexible set of policies and management capabilities. This paves the way for rapid deployment of a fully-managed web app security regime, and provides a single point of contact to make any needed refinements.

Many users are finding that AppTrana not only results in robust security, it also can help boost web application performance. Going forward, it clearly will remain vital for companies to do both. The starting point is being able to understand – and mitigate – evolving web application risks in a highly dynamic environment.

About the essayist: Vivek Gopalan heads product management at Indusface, a supplier of WAF systems headquartered in Bangalore, India.

 

 

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone