• About
  • Archive
  • Contact
  • basefarm.com
Basefarm Blog
  • Big Data blog
  • Cloud blog
  • Security blog
  • DevOps blog
  • Menu

How a Web Application Firewall can protect against bad coding

By: Hans-Petter Fjeld and Abel De Kat Angelino, Information Security Engineers at Basefarm

You might think, and you could even be right in that your own web application is perfectly written with zero bugs, so that no attacker can obtain information they should not be able to. But what about the software surrounding your web application? Unfortunately, this software often is things you don’t have control over like frameworks, web servers, operating systems, and sometimes even hardware.

The aim of a Web Application Firewall (WAF), is to ensure that your web application is kept safe even if there are coding mistakes in it or in any of the underlying systems or frameworks it runs on top of.

A WAF, given the correct setup of rules, could for example protect your web application against unknown threats, so called Zero Days. One example is the Command Injection exploit that was released for Apache Struts which allowed an attacker to simply modify the Content-Type header, in order to gain direct access to the server, which would have allowed the user to steal data and move further into the network. By utilizing a WAF, customers were able to protect themselves against the attack even before a patch was available. This was possible because the intelligence built into it could recognize that a Command Injection was attempted and thus block it.

In another layer, you would have your Web Server which your web application runs on top of. Vulnerabilities occurs on it from time to time, and sometimes they will not get patched. One example is CVE-2017-7269 which had a known exploit available, but Microsoft said they wouldn’t patch. In this case, a WAF would be able to assist you.

As you can see, it’s not only your own web application that is a target here, it’s your entire environment. So, even though there is never a silver bullet when it comes to IT-Security, you should always work to keep your code as well-written as possible to avoid potential breaches. Moreover, a WAF is one of the most important aspects when it comes to your ability to defend your web application against data breaches.

-Let’s Be Careful Out There (Hill Street Blues)

If you are interested read more here:

http://bfblogg.wpengine.com/blog/are-you-prepared-for-ddos-attacks/

Or contact us and we will get back to you!

Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on Pinterest
  • Share on Linkedin
  • Share by Mail

Recent Posts

  • Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
  • 8 security trends 2019
  • Multi-factor authentication time?
  • How to improve control and save cost with Service Organization Controls (SOC) reports.
  • Unprotected Government Server Exposes Years of FBI Investigations

Tag cloud

apple java Cloud it security sirt newsletter Windows Server 2012 tools Azure patch tips cluster newsletter cisco vulnerability SIRT windows HP Software job wordpress osx patch tuesday Data lake security KAM OpenShift DevOps AI it-security sql server update exploit iOS flash Azure Stack Data Thinking adobe drupal dreamhack Big Data oracle patchtuesday microsoft PowerShell swedish
Subscribe via RSS

Recent Comments

  • Naveen on How to install Logstash on Windows Server 2012 with Kibana in IIS.
  • MJ Almassud on Basic inventory of HyperV virtual machines using PowerShell
  • toto on Tracing select statements on specific objects in SQL Server without using Profiler
  • Jawad on SQL Server 2008 R2 setup fails due to invalid credentials
  • Jason Boettcher on A day in the life of a Technical Account Manager

Archive

  • 2019 (8)
  • 2018 (117)
  • 2017 (75)
  • 2016 (46)
  • 2015 (51)
  • 2014 (65)
  • 2013 (162)
  • 2012 (28)
  • 2011 (19)
© Copyright - Basefarm Security Blog
  • Facebook
  • Twitter
  • Instagram
  • Mail
Hackers Turn to Python as Attack Coding Language of Choice Why use a Managed Service Provider for Amazon Web Services
Scroll to top