Wednesday, April 12, 2017

Why the web app security problem exists ?

Complexity – did you wrote a code for an app and saw how many items needed to be addressed before even talking about security ?

Non standard – write code is based on the developer knowledge and experience. There are many ways to implement even a simple concept like salt password.  There are no standards or guide lines that every web developer is committed to.

3rd party – developers must rely on 3rd part library servers and have no way to verify that they are all secure.

Design - Web app are design to server client with various content and the goal is to sell or market them  self or just share information. It means that security comes as a secondary goal at the best case and that make total sense.

Easy – due to the comply of web apps it is not that difficult to find holes or take advantage of innocent users and trick them to install a male ware.

Heard to deal with - Organizations are struggling to secure all their customer information and try to stay above water. The reason is they have so many security concerns, product, procedure, logs, tasks, and much more which makes it almost un manageable.  


Genesis – web application security is still not a fully solid process and some of the basics are still not decided and adopted as best practices within the industry 
Posted by at No comments:

Monday, April 10, 2017

2017 - The return of the WAF. why WAF are back ?

 It’s out there
  • Web application are the highest targeted and they are open 24/7 for attack
  • Web application have complexity hence more security concerns
  • No one sees the big picture in terms of security

 Security:
  • Virtual patching is good remediation
  • There are still SQLi vulnerability
  • The ultimate forensics tools
  • The only way to know if someone try to hack or already hacked you
  • WAF sees the big security picture while apps are not design for security
  • Bots are a change to any web site owner, WAF can deal with bots

New technology
  • New environment: Cloud technology takes us to the old days of unsecured web sites with the same problems but just a little more sophisticated.
  • New protocols: web socket is underlying protocol and enable the implementation for various usage that should take care of the same old security attack vectors: session management, scrubbing user input and more.
  • There are more challenges to the application than ever. Scarping , DoSing Bots and much more business problem with security orientation that should be detected and mitigated.

And there is more…

Posted by at No comments:
Subscribe to: Posts (Atom)