Web Application Security: WAF Vs. FTSP

For most organizations, web applications are not just the most visible part of the business, but also a critical method for customers to access private information and engage in sensitive transactions. As such, organizations should ensure that it provides a safe, reliable, and secure environment for their customers. However, in practice, many businesses fail to consider the full scope of the application environment when evaluating threats and security measures, or they take a piecemeal approach, combining multiple solutions with each only having limited visibility into the application environment.

Website Infrastructure

Vulnerabilities in the infrastructure used by a website are the most commonly probed. This includes:

  • The underlying operating system on which the web server is running
  • The web server itself, usually Apache or IIS
  • Any web frameworks or UI frameworks on which the application code is built

Any new vulnerabilities against infrastructure components are typically widely circulated, and organizations that fail to follow regular system patching and hardening practices have higher exposure. One high-profile example of this was an Apache Struts vulnerability that went unpatched for months at Equifax, leading to the theft of highly sensitive information on over 140 million people in 2017.

The Web Application

More sophisticated attacks will target application-level vulnerabilities. Many of these are general techniques, such as exploiting poor validation in applications for SQL Injection, file inclusion, and cross-site scripting. These are the most common – SQL Injection alone typically accounts for roughly half of all application-level attacks – because they do not require special application knowledge and because so many websites are susceptible. These and other attacks are ranked among the Top Ten web application security risks published by the Open Web Application Security Project (OWASP) precisely because they are more difficult to mitigate and require web development teams to continually check for in web application code.

But these higher-level attacks can also be very application-specific, exploiting flaws in the business application logic itself such as improper session management, privilege escalation, poor error handling, information leakage, etc. Because every website is different, a determined attacker with a specific agenda can almost always find high or critical vulnerabilities in a target's website.

Web application-level attacks can have a very high impact, as they attempt to reach through the web server front end and attack the application logic or backend databases, potentially accessing customer account data or personal information, altering or falsifying data, and manipulating transactions for theft or fraud. These can also be used to gain entry for deeper attacks within a corporate network.

Traditional WAF Approach

Traditional web security strategies focused entirely on protecting the web server itself from attack. This is reasonable since not only is it the most accessible target – it is by design publicly accessible on the Internet and at least partly open to all visitors – it is also the richest target. The web server is the hub through which all online interactions flow. An attacker who targets a single user has access only to that user's information, but an attacker who targets a website can potentially have access to information on all users.

Application-level attacks have driven the development of Web Application Firewalls and related solutions that seek to filter out threatening web traffic before it reaches the website. This essentially creates a shield around the website, protecting the hub of all web transactions.

The Modern Approach: Full Transaction Stack Protection

Yet this server-only approach is incomplete. Any transaction involves multiple parties, and web application transactions are no different: the website is one participant, and the end-user, or customer, the other. For any single transaction, both participants are equally involved, and both need to be included in any risk analysis and security approach.

Organizations managing web applications need to consider the full scope of threats to the business. Full Transaction Stack Protection means extending protection out of the end-user's device, ensuring the communication channel is resilient against service disruption and defending the web server from targeted attacks and bots. It also encompasses all layers of the web application including the infrastructure and application layers as well as the transaction layer to defend against fraud.

Trusted Knight's Protector Air is the only unified solution for addressing security and fraud through Full Transaction Stack Protection. Furthermore, Protector Air's cloud-based, turnkey deployment means there is nothing to install or manage, and requires no integration or modification with the website. Finally, Protector Air has no software to download and zero impact on the user experience, eliminating user frustration and support headaches while still providing protection for 100% of the user base.

This blog post is an excerpt from the technical white paper Exploring Full Transaction Stack Protection.

Ted McKendall

Over 20 years of cybersecurity product design and management and the mastermind behind many cloud-delivered payment industry security solutions used by millions of businesses today.