May 15 2023

Salt Security Achieves AWS WAF Ready Designation

Category: App Security,Information Security,Web Securitydisc7 @ 9:30 am

Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.

This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.

Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.

Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”

“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”

The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.

APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.

Security of services hosted in the Cloud with Le WAF: Web Application Firewall

 InfoSec tools | InfoSec services | InfoSec books

Tags: WAF, Web Application Firewall


Sep 28 2022

How Can WAF Prevent OWASP Top 10?

Category: next generation firewall,Web SecurityDISC @ 9:11 am

The OWASP Top 10 security risks point out the common vulnerabilities seen in web applications. But it does not list the set of attack vectors that WAFs (Web Application Firewalls) can simply block. This is but a myth often propagated by many a security vendor. OWASP Top 10 protection is the joint responsibility of the security vendor and the application developers.

There is a lot that an effective security solution and WAF can do to secure OWASP vulnerabilities. But in some cases, the security solution may not be able to give complete coverage against it and requires the developers/ organizations to take preventive action. 

In this article, we help you understand how a comprehensive, intelligent, and fully managed WAF can augment OWASP Top 10 protection. 

A Quick Introduction to WAF 

WAF is the first line of defense between the web application and the web traffic, filtering out malicious requests and bad traffic at the network edge. The best WAFs are part of larger security solutions that combine deep, intelligent scanning, bot management, API protection, etc., with OWASP protection. They also leverage self-learning AI, behavioral and pattern analysis, security analytics, global threat feeds, and cloud computing in combination with human expertise. 

WAFs and OWASP Top 10 Protection

Broken Access Control 

To effectively prevent this OWASP vulnerability, organizations must fix their access control model. WAFs can help organizations by 

  • Proactively identify attack vectors leveraged by attackers to exploit vulnerabilities such as design flaws, bugs, default passwords, vulnerable components, etc. 
  • Testing for the insecure direct object reference, local file inclusions, and directory traversals
  • Providing visibility into the security posture, including access control violations
  • Implementing custom rate limiting and geo limiting policies.

Cryptographic Failures

The encryption of everything, in rest and transit, is necessary for OWASP Top 10 protection against cryptographic failures. WAFs, augment protection by testing for weak SSL/TLS ciphers, insufficient transport layer protection, crypto agility, sensitive information sent via unencrypted channels, credentials transmitted over encrypted channels, etc. Organizations can then fix any issues that are identified. 

Injections

User input sanitization, validation, and parameterized queries are critical to prevent this risk. For OWASP protection against injections, WAFs use a combination of whitelist and blacklist models to identify all types of injection – command, SQL, code, etc. 

WAFs leverage behavior, pattern, and heuristic analytics and client reputation monitoring to proactively detect anomalous behavior and prevent malicious requests from reaching and being executed by servers. They use virtual patching to instantly secure injection flaws and prevent attackers’ exploitation. 

Also, Download Your Copy of OWASP Top 10 2022 Playbook

Insecure Design 

By integrating the WAF and the security solution right into the early stages of software development, organizations can continuously monitor and test for security weaknesses. For instance, organizations can identify insecure codes, components with known vulnerabilities, flawed business logic, etc., in the early SDLC stages by deploying a WAF and fixing them. This helps build secure-by-design websites and apps.  

Security Misconfigurations 

For OWASP Top 10 protection against security misconfigurations, WAFs use a combination of fingerprinting analysis and testing. They fingerprint web servers, web frameworks, and the application itself and test error codes, HTTP methods, stack traces, and RIA cross-domain policies to look for security misconfigurations. 

WAFs use automated workflows to intelligently detect misconfigurations, including default passwords, configurations, unused features, verbose error messages, etc. They virtually patch these misconfigurations to prevent exploitation by threat actors. They offer real-time visibility into the security posture and insightful reports, enabling organizations to keep hardening their security posture. 

Vulnerable and Outdated Components 

The intelligent scanning capabilities of WAFs enable organizations to continuously detect vulnerable and outdated components. Here, again instantaneous virtual patching helps secure these OWASP vulnerabilities until fixed by developers. 

Identification and Authentication Failures

Organizations must implement effective session management policies, strong password policies, and multi-factor authentication for OWASP Top 10 protection against identification and authentication failures. Intelligent WAFs leverage their strong technological capabilities to accurately identify these failures. 

They leverage their bot detection capabilities – workflow validation, fingerprinting, and behavioral analysis – to prevent brute force attacks, credential stuffing, and other bot attacks resulting from the exploitation of broken authentication and session management. 

Software and Data Integrity Failures

WAFs are equipped to detect these OWASP security risks effectively using their continuous scanning and pen-testing capabilities. They use a combination of negative and positive security models to prevent this risk. 

Security Logging and Monitoring Failures

The best WAFs offer ongoing logging and monitoring features and complete visibility into the security posture. They offer cohesive dashboards that can be used to generate customizable and visual reports, gain critical insights and recommendations to improve security, etc. 

Server-Side Request Forgery (SSRF)

For protection against SSRF, implementation of positive rules, user input validation, etc., by the organizations is critical. WAFs, on their end, can be configured to block unwanted website traffic by default, encrypting responses, preventing HTTP redirections, etc. 

OWASP Top 10 security risks

Web Application Firewall WAF A Complete Guide

Tags: Next-Gen WAF protection, OWASP Top 10, WAF


Jul 01 2020

40% of security pros say half of cyberattacks bypass their WAF – Help Net Security

Category: App Security,Web SecurityDISC @ 10:59 pm

There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their WAF.

Source: 40% of security pros say half of cyberattacks bypass their WAF – Help Net Security



Sorry About your WAF – Modern WAF Bypass Techniques
httpv://www.youtube.com/watch?v=nKJmgE-dYds







Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: WAF, web app security