We hear a lot in the news about increasingly massive DDoS attacks—those network assaults do, after all, lend themselves to catchy headlines featuring “Death Star-sized botnets” and “world record” attacks—but for most enterprises and large organizations, there is a whole spectrum of application attacks that are equally concerning. Just take a look at the “Attack” category page at OWASP.org (that’s the Open Web Application Security Project) and you can see a list of 70 or more techniques that attackers use to exploit vulnerabilities in applications.
Many of these attacks have interesting and fun-sounding names—brute force, spoofing, stuffing, man-in-the-middle, tabnabbing—but in reality, application attacks are no laughing matter. In 2017, for example, the average cost to a US business affected by a data breach was $7.35 million. And data breaches are just the most visible consequence of one subset of attacks—there is also the cost of network disruption or downtime; the expense of having to devote your IT staff to mitigation when they could be focused on innovation; and the losses you suffer when employees, partners, and customers cannot connect to do their jobs, sell your services, or buy your products.
But what is an organization to do? It’s not like you’re going to just give up on using applications. These days, firms of all sizes rely on web applications for just about everything: enhancing employee productivity, easing enforcement of business policies, analyzing huge amounts of data, and processing everything from payroll to accounts payable. Unfortunately, would-be attackers know how valuable these applications are to your organization, and they’re more determined than ever to bring down or compromise your most critical web apps.
For most organizations, the first line of defense is a web application firewall (WAF). Our most recent State of Application Delivery report shows that 98% of respondents protect at least some part of their application portfolio with a WAF—and more than 40% protect half or more of their apps.
As an industry leader in WAF, F5 is thrilled to see the rest of the world coming around to what we’ve been preaching for years. But you don’t become an industry leader by resting on your laurels, and we continually strive to find ways to make your applications ever more secure. Our recently announced Advanced WAF, for example, goes further than ever before to offer best-in-class application security. Advanced WAF will defend against bots (going beyond signatures and reputation to block evolving automated attacks), prevent account takeover (with encryption at the application layer), and protect apps from DoS attacks (using machine learning and behavioral analytics for high accuracy).
It is also important for us to work with other industry leaders to bring our joint customers a solution that is more capable and more secure than what either of us could deliver on our own. WhiteHat Security is one such partner. WhiteHat provides website risk management solutions that protect data, ensure compliance, and narrow the window of risk. And those solutions dovetail nicely with F5’s new Advanced WAF solution to extend an organization’s ability to defend both customer and corporate data.
Our joint solution (see figure above) uses the F5 open API to integrate Advanced WAF with WhiteHat Sentinel. In such a deployment, Sentinel delivers continuous dynamic scanning, backed by an expert team at the Threat Research Center that verifies every vulnerability to virtually eliminate false positives. At the same time, Advanced WAF is responsible for WAF protection and a host of visibility and reporting capabilities. Through careful integration, Advanced WAF uses the intelligence provided by Sentinel to automatically patch vulnerabilities, oftentimes before code fixes are available.
The result: complete, end-to-end web application security that helps ensure continued business productivity and promote growth.
Deploy a Comprehensive Web Application Security Program – WhiteHat + F5 Integration
Key Considerations in Choosing a Web Application Firewall – F5 Whitepaper
What can you do today to prevent a breach? – WhiteHat Technical Insight