Web Application Firewalls 101 – Keywords to Bookmark

Web security is not a new concept. From the dawn of the Internet, cyber criminals have been experimenting with and mastering ways to exploit the data housed within online properties. And as businesses increasingly transition online, the volume of attacks has skyrocketed. According to a recent study,* the number of new vulnerabilities per month exceeded 17,000 in 2018. That’s nearly a 23% increase from 2017. From 10-person startups to thousand-person enterprises, cyber threats are an equally legitimate concern (or at least they should be). Arm yourself with the tools you need to protect your business from malicious attacks (automated or not). The first step is familiarizing yourself with the keywords/terms used most frequently in the application security space.

The following post details, alphabetical order, the first 10 keywords:

Active Deception 

  • A series of actions and techniques used to mislead attackers and thereby encourage them to take actions that aid in the process of identifying them as a malicious actor or not.

Application Profiling 

  • The automated monitoring and analysis of one or more applications, with the initial intent of establishing a baseline of activity to easily identify nuances in behavior and interactions with such application that may signify malicious behavior.

Application Programming Interface (API) Security 

  • The act of (or tools used in) protecting the integrity of an organization’s APIs (owned and external), including the data that passes through these APIs. Tactics for detection and enforcement include, geofencing, denial-of-service protection, brute force protection, In the modern AppSec space, API traffic should get the same level of protection as your web front-end.

Active Attacker Fingerprinting 

  • The process of identifying a single attacker based on certain characteristics related to their browser, including browser type, version, and operating system. Active fingerprinting occurs via JavaScript (or other code) to observe additional characteristics such as window size, enumerating fonts, and plug-ins. This fingerprint enables a system to re-identify a user in subsequent visits/interactions they have with your web properties.

Attack Signatures  

  • A uniquely identifying attribute of an attack. Traditional web application security solutions use these signature libraries to scan and pinpoint known threats. Behavior that does not match a pre-determined signature is not flagged. Therefore, when new attacks are identified, a new signature is required. This method is reactionary in nature.

Bot Detection 

  • The act of classifying a malicious actor as an automated bot. This is accomplished through a variety of detection techniques, including behavioral analysis, characterization, and more. Even though bots may use disparate, unrelated IP spaces, detection allows us to correlate, associate, and identify them as the same entity. Other techniques such as rate limiting can slow down bots while the evaluation phase is taking place.

Cloud Native 

  • An approach to building and running applications that are built for modern, cloud computing models, which includes the use of microservices. Cloud-native solutions operate in a container-based environment, which facilitates resource isolation and makes them API and microservice friendly.

Contextual Behavioral Analysis  

  • The process of analyzing the behavior of an application and/or an attacker to determine the risk level it poses on an organization, keeping the circumstantial context in-mind. This method enables decisions to block or flag entities to be made with additional data and results in fewer false positives.

Cross Customer Correlation 

  • The act of correlating the behavior of malicious actors on one set of web applications to the behavior of suspicious actors on another set of web applications to help determine the true risk of the suspicious actors. If a new entity is exhibiting similar behavior to another entity that had subsequently been blocked, the risk of the new entity will rise dramatically.

Cybersecurity Kill-Chain 

  • The “kill chain” was originally used by the military to signify the progression of a planned attack. This concept was adapted to the web application security space by Lockheed Martin to monitor hackers as they take malicious steps towards an attack, from pre-exploitation to post-exploitation. The various phases are: Reconnaissance, Scanning, Web Application Mapping, Brute Force Attack, Denial of Service, Exploitation, and Malware Communication. 

Stay tuned for subsequent posts as we continue to detail the top keywords for professionals in the web application security space. 

Designing AppSec in the Age of Apis & Microservices

*Imperva State of Web Application Vulnerabilities in 2018

*** This is a Security Bloggers Network syndicated blog from ThreatX Blog authored by Mackenzie Jacobson. Read the original post at: https://blog.threatxlabs.com/web-application-firewalls-101-keywords-to-bookmark