Application Security Testing

Web and Mobile applications today are vulnerable to a host of threats that are prone to both inherent platform-based unpatched vulnerabilities and flaws in configuration or deployment.

Governed by OWASP, SANS and NIST standards, StrongBox IT’s security testing services validate web and mobile applications across various threat vectors

StrongBox IT’s comprehensive test suites providing optimum coverage.

Pentest your Application.

Web Application Firewalls (WAF) and Its Advantages for Enterprises

With the accelerated rise in the number of companies adopting cloud for running business applications and saving private data, cybercriminals have started to target web applications and websites.

According to an IBM report, the average cost of a data breach to enterprises is US$ 3.86 million. This is even higher for the U.S. companies, with the average data breach costing around US$ 8.64 million. A data breach has far-reaching consequences, inducing financial losses and affecting an enterprise's business and compliance in the short term. Also, a cyber- attack news headline will damage a firm's reputation, leading to a competitive disadvantage and lost business.

This is where Web Application Firewalls (WAF) comes into picture, WAF helps enterprises protect internal and public data and applications. WAF helps companies evade the costly data breaches and downtime.

What is Web Application Firewalls (WAF)?

Web Application Firewall (WAF) helps guard web applications by monitoring and filtering HTTP traffic between web applications and the Internet. Web Application Firewalls exist in physical or virtual appliances form. They are also nowadays frequently delivered from the cloud as cloud web applications.

While proxies or firewalls protect clients, Web Application Firewalls protect servers. WAFs are deployed to defend a web application or a collection of web applications. WAFs are commonly deployed in-line, as a reverse proxy, one of the easiest ways to perform policy enforcement and full inspection. Other deployment procedures include WAF plug-ins and out-of-band deployment.

Advantages of WAFs

WAFs protect web applications and APIs against different types of internal and external attacks, such as injection attacks, application-layer denial of service (DoS), cross-site-scripting (XSS), automated attacks (bots), among others. WAPs provide signature-based protection and also help with positive security models and anomaly exposure.

By deploying Web Application Firewalls in front of a web application, a defense is created between the web application and the Internet. A WAF, which is a reverse- proxy, protects the server from being exposed by making clients pass through the Web Application Firewall before reaching the server.

An application firewall works through a set of rules, mostly described as policies. These policies are intended to shield the application against vulnerabilities by filtering out malicious traffic.

A WAF's value comes in part from the speed and ease with which policy alteration can be achieved, allowing a quicker response to different attack vectors. For example, during a DDoS attack, rate limiting can be promptly executed by adjusting WAF policies.

According to Gartner, by 2023, it is expected that around 30-35% of public-facing APIs and web applications will be defended by web application and API protection services, which consolidate WAFs, DDoS protection, API protection, and bot mitigation.

So, if your company is considering implementing an application firewall or would like to know more about it and how WAF can protect your enterprise data, then get in touch with an expert at StrongBox IT.

How an application firewall like Modshield SB could have saved the day

Freepik, a top-100 Alexa ranked popular website that provides access to free stock photos and design graphics, announced on Friday (21 August) that it had been subject to a major data breach due to a SQL injection vulnerability.

In a statement released by the company, it is said that they immediately notified authorities of the breach, which is estimated to have affected 8.3m users of Freepik and its free graphic resource subsidiary Flaticon.

Freepik said that the security breach was due to a SQL injection in Flaticon that allowed an attacker to access user information from the company’s database. The breach affected 8.3m of the company’s oldest users, whose email addresses and extracted password hashes were accessed. The hash of the password cannot be used to log into a user account on it’s own, as it is not a password, but a scrambled representation of a password. But it certainly aids an attacker to crack the passwords more efficiently

Freepik’s data breach The company said that out of 8.3m affected users, 4.5M had no hashed password because they used exclusively one or more federated login methods (with Google, Facebook and/or Twitter) and the only data the attacker obtained during this attack was their email address.

The remaining 3.77M users affected by this breach had their email addresses revealed and for 3.55M of these users, their password was encrypted by using a modern algorithm, bcrypt. The password information of the remaining 229,000 users, however, was salted using an obsolete MD5 algorithm. The company said that it has now updated the hash of all users to the latest bcrypt algorithm as a result of the breach.

The company took initiatives to protect its users by revoking the passwords of those using the obsolete algorithm and have sent an email urging them to choose a new password and to change their password immediately if it was shared with any other site.

The company also added that users whose passwords were hashed with bcrypt received an email suggesting that they change their password, especially if it was an easy-to-guess password. Users who only had their email leaked, were notified promptly, since the impact was relatively lower and no special action is required from them.

“While no system is 100% secure, this should not have happened and we apologise for this leak,” the company said. While incidents like these are truly tragic and puts the reputation of the affected company on the line, it is worth noting that the same types of attack could have been prevented easily by using an efficient Web Application Firewall(WAF) such as Modshield SB which includes the most popular Modsecurity and OWASP Core Rule Set effectively preventing against a host of attacks highlighted by the OWASP top 10 threat vectors.

Modshield SB combines the power of Modsecurity and OWASP Core Ruleset with an easy to use, east to implement interface, fantastic dashboards for compliance reports and a built-in load balancer.

Modshield SB is threat aware, being fed by continuous threat intelligence feeds to address the latest threats out in the landscape.

Modshield SB also provides application owners to implement access controls using a series of whitelists and blacklist for IP addresses and geographies.

Modshield SB offer a DLP option which matches application server’s responses to standard patterns of sensitive information and blocks the responses when a predefined format is encountered.