Sadly the response to security compromises in the news seems to be a push to buy more firewalls. Firewalls provide no defense against application security attacks. The article below reminds me of a great chart by Gunnar Peterson
According to the barclay interim report which is also being referenced in stories on CSOonline.com
Attacks against:
Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.
Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.
-Michael Coates - @_mwc
The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike.If you read through the barclay report you'll notice they are specifically referring to the following high profile events:
Attacks against:
- Visa, Amazon, MasterCard and PayPal
- The multiple Sony compromises
- Nintendo, RSA SecurID, Gmail and CitiBank
Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.
Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.
-Michael Coates - @_mwc
They're not firewalls anymore. They're "context-aware security platforms". According to analysts, this is the most transformational area of information security going forward in the future.
ReplyDeleteWeb fraud detection, in-app web application firewall (APIDS) technology, and other application security stuff? Analysts don't seem to like this stuff, perhaps due to it not being installable in the data center in a sexy, sleek appliance format.
Call it what you want, but an appliance sitting outside the application will not provide full protection against fundamental design flaws, access control, and I'm suspicious it would even catch many SQL injections (sure, it could catch a few generic attack types).
ReplyDeleteThere are two application-level attack vectors which are being heavily used today.
ReplyDelete(1) Social engineering attacks like spear-phishing to lure users to malware-laden web pages. First, a firewall that can classify traffic by application enables an organization to create a "default deny" policy at the application level, thus reducing the organization's attack surface. Second, allowed applications can then be monitored for threats at wire speed more easily because the threat prevention function knows what the application is. Third, the firewall should be able to correlate outbound traffic to detect botnet C&C traffic. Finally, executables coming down the pipe must be analyzed using heuristics and suspicious code must be executed to determine if the suspicious code is actually malicious.
2) Direct attacks on vulnerabilities of web applications (SQLi, XSS, CSRF). This is where SDLC should be the primary security control. However, complementary controls of black box web application vulnerability testing and web application firewalls further mitigate the risks of these attacks.