Do you need a cloud-based web application firewall (WAF)?

By Towne Besel -

a shield icon with a flame overlay and a brick wall background

 

Your application is crucial to the delivery of your solution or service and user experience is key. On top of that, customers have a short attention span — so, if your app does not load fast enough or another solution is more appealing, users will go to the competition.

Companies spend millions of dollars and work diligently to capture their users’ attention. Plus, they have to ensure the safety of the information gathered about their customers, the data generated by the service and the security of data systems deployed to provide the solution. With all the investment, how do you ensure your application is secure and delivered on time, with the user experience you expect?

One key area that people overlook is cloud-based web application firewall (WAF). Without a WAF, your application may already be vulnerable to these attack vectors:

  • Web exploits
  • API abuse
  • Availability attacks
  • Bots, scrapers and crawlers

 

“But I have AWS, Azure, or GCP. Do I still need a cloud WAF?” Yes! Cloud providers excel at offering compute solutions for their customers to deploy applications. But securing those applications is your responsibility.

In addition, each provider has their own solution that works only for their platform. In contrast, cloud WAF solutions specialize in securing your application from end-to-end by providing a single solution for all your environments, no matter the scale, complexity or cloud provider you are deployed with.

Let’s take a look at how cloud WAFs protect your application and keep your data secure.

 

Web exploits

Very skilled attackers work to discover weaknesses in the code running the applications on the internet. Once vulnerabilities are discovered, they develop zero-day exploits which can be used against applications running the vulnerable code.

Often, these hackers sell the exploits on the dark web and other forms for fun and profit. Malicious hackers then scan the entire internet for vulnerable applications. Once discovered, they can use the tools available on the dark web to steal your data and intellectual property and pilfer your customers’ data, credit card information or other personally identifiable information (PII).

What makes this situation worse, commodity exploits are easy to search for and do not require any skill to execute. Even if your company has endpoint protection and intrusion detection, your application could still be vulnerable to web attacks.

Deploying a cloud WAF is a simple solution to protect your applications against web exploits, including the Open Web Application Security Project (OWASP) top ten threats — which includes cross-site scripting, security misconfigurations and SQL injection attacks. 

 

API abuse

Hackers are not just looking for vulnerabilities in your web applications — they also target the systems that support your application. In most modern application development, the communication between systems is driven by an application programmable interface (API). And in 2020, 91% of enterprises experienced an API security incident.

APIs are used for machines and programs to communicate with each other and enable the fast delivery users expect. Just as we rely on an application to deliver a service or solution, applications and mobile apps rely on APIs to deliver valuable information to their supporting systems. API attacks are growing in popularity.

By deploying a cloud WAF, you can protect your mobile apps from attacks against their supporting systems and vital APIs — such as lack of resources, rate limiting, broken authentication and other OWASP Top Ten Threats for APIs.

 

Availability attacks

Applications are also vulnerable to attacks against availability. For example, with denial-of-service (DoS) attacks, hackers launch massive assaults that flood your application and are capable of overwhelming even the best-designed solution. This can degrade or often impair your users’ experience.

What makes this worse are the various styles of DoS that can be used. If you are deployed on-prem, then your internet bandwidth or network aggregation point could be overwhelmed by a Volumetric attack that saturates the network with bogus traffic like SYN floods or DNS amplification attacks.

Many companies have discovered a way to mitigate Volumetric DDoS attacks by embracing digital transformation and migrating to a cloud provider like AWS, Azure or Google Compute. These providers offer security groups that allow users to block unwanted ports and protocols, similar to a stateful firewall. This strategy will prevent floods of bogus traffic from reaching your application, but it does not block traffic on the ports or protocols your application relies on. Adversaries have discovered techniques to launch attacks against the required ports and protocols with bogus application requests.

This attack is called an application DDoS since the target is the application instead of the network. On-prem customers have very few solutions to defend themselves when both volumetric and application DDoS attacks are used in combination.

With a cloud WAF, your application will be secure from both volumetric and application DDoS attacks.  Cloud WAF DDoS mitigations are available for on-prem, cloud or hybrid environments.

 

Bots, scrapers, and crawlers

Once you have your application deployed and secured, you can focus on capturing your customer’s attention, right? Unfortunately, no.

Scammers are looking to get any advantage they can get, and your service or solution is no different. Industries from shoe sales to concert venues have been impacted by “bad bots,” which are programs written to buy all of a hot-selling item before any consumers can. The scammers then resell the items later for a much higher price.

Furthermore, a malicious competitor who wants to undercut your business may write a “scraper” to monitor changes to your site including deals or sales you have. Using these programs, scammers can steal your customer by offering similar items for slightly cheaper. Given the choice between two similar items, consumers will choose the lower price.

To get an edge on the competition, companies invest heavily on Search Engine Optimization (SEO) and marketing to improve their results on places like Google. The techniques and tactics used to maintain the top result are proprietary to every organization and form a basis of their intellectual property. The use of robots.txt is an industry best-practice and a great solution for well-behaving crawlers to know when and if to index your site, but malicious crawlers and adversaries write programs to steal your SEO and other trade secrets used to maintain top search results.

Through the use of a cloud WAF, you can block blocks bots, scrapers and crawlers from hitting your application. The effect will be less unwanted traffic, a reduced cost on your infrastructure, a higher return on your marketing investment and a better overall customer experience.

 

How Rackspace Technology can help

At Rackspace Technology, our customers leverage our Managed Cloud WAF solution to secure their applications in the cloud, on-prem and in hybrid environments. With Managed Cloud WAF, our experts provide everything from security to application delivery, which allows our users to focus on running their business. Managed Cloud WAF is an easy way to deploy a global-scale security solution across multi-cloud and hybrid environments.

Take the next step toward protecting your applications. Take our quick 15 question security self-assessment and receive a professional consultation with a cloud expert. They’ll review your results with you, answer questions and make best-practice recommendations on how to address any identified security gaps.

 

Know your cybersecurity risk score.Take the assessment