How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services. Whitepaper



Similar documents
Barracuda Web Application Firewall: Safeguarding Healthcare Web Applications and ephi. Whitepaper

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Where every interaction matters.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Passing PCI Compliance How to Address the Application Security Mandates

IJMIE Volume 2, Issue 9 ISSN:

Cloud Security:Threats & Mitgations

F5 and Microsoft Exchange Security Solutions

Mobile Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

APPLICATION DELIVERY

What is Web Security? Motivation

How To Protect A Web Application From Attack From A Trusted Environment

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Hack Proof Your Webapps

Sitefinity Security and Best Practices

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Achieving PCI Compliance Using F5 Products

The Hillstone and Trend Micro Joint Solution

Mobile Application Security

elearning for Secure Application Development

Strategic Information Security. Attacking and Defending Web Services

Protecting Your APIs Against Attack and Hijack

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Check list for web developers

Mobile Application Security Study

Common Criteria Web Application Security Scoring CCWAPSS

White Paper Secure Reverse Proxy Server and Web Application Firewall

Rational AppScan & Ounce Products

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Improve your mobile application security with IBM Worklight

Barracuda Backup for Managed Services Providers Barracuda makes it easy and profitable. White Paper

Healthcare Security and HIPAA Compliance with A10

QuickBooks Online: Security & Infrastructure

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

90% of data breaches are caused by software vulnerabilities.

OWASP AND APPLICATION SECURITY

(WAPT) Web Application Penetration Testing

APIs The Next Hacker Target Or a Business and Security Opportunity?

API Security: A Guide To Securing Your Digital Channels Akana, All Rights Reserved Contact Us Privacy Policy

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

IBM Security Intrusion Prevention Solutions

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

NSFOCUS Web Application Firewall White Paper

10 Things Every Web Application Firewall Should Provide Share this ebook

Reference Architecture: Enterprise Security For The Cloud

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

2015 Vulnerability Statistics Report

PCI Security Standards Council

Web Application Penetration Testing

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

White paper. Keys to SAP application acceleration: advances in delivery systems.

Integrating F5 Application Delivery Solutions with VMware View 4.5

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Essential IT Security Testing

Vulnerability Management

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Criteria for web application security check. Version

Securing the Database Stack

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Chapter 1 Web Application (In)security 1

OWASP Top Ten Tools and Tactics

COORDINATED THREAT CONTROL

From the Bottom to the Top: The Evolution of Application Monitoring

PCI Compliance Considerations

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

The Top Web Application Attacks: Are you vulnerable?

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

The PerspecSys PRS Solution and Cloud Computing

Security Solution Architecture for VDI

A New Approach to IoT Security

Application Security Testing

Enterprise Application Security Workshop Series

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Security Assessment and Vulnerability Mitigation Tests

<Insert Picture Here> Oracle Web Cache 11g Overview

Load Balancing Security Gateways WHITE PAPER

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

The monsters under the bed are real World Tour

What is an application delivery controller?

PCI DSS Compliance. with the Barracuda NG Firewall. White Paper

SANS Security 528 CASP Practice Exam

Auditing the Security of an SAP HANA Implementation

Enterprise Computing Solutions

Transcription:

How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services Whitepaper

Executive Summary The mobile application space has experienced an unprecedented growth in recent years, and it s no surprise: Mobile applications enhance productivity, provide new venues to reach customers, and deliver services. Because of its rapid progression, there has also been an expeditious growth of the Internet of Things (IoT). In 2014, Goldman Sachs predicted that by 2018 consumers will spend 626 billion dollars via mobile applications, and Gartner predicts that by 2020 there will be 26 billion connected IoT devices. With the advent of these applications and devices, your application servers are a more attractive target than ever before. This whitepaper takes you through the vulnerabilities, and shows you how the Barracuda Web Application Firewall provides the ideal frontline of defense. Failure to protect the mobile application server poses the risk of losing the data of hundreds of thousands of users from an enterprise s databases. Through 2017, Gartner predicts that 75 percent of mobile security breaches will be the result of mobile application misconfigurations, rather than from the outcome of deeply technical attacks on mobile devices. Risks of Exposing APIs for Mobile and IoT Applications The radical increases in reach and productivity provided by mobile services has led to companies building a mobile presence for their businesses and services. Many new companies are fully mobile businesses, with no traditional website providing access to their services (e.g., Uber). Banks are also encouraging customers to move to mobile banking applications for all types of transactions. Other than convenience, mobile applications are allowing organizations to track a lot of metrics to get more customer data. Unfortunately, the move to mobile has come with some perils. In many cases, while the web application is secure, the mobile application does not have the same level of security; therefore, it becomes an easy opening for attackers. Companies do not invest sufficiently in mobile security and this leads to data leakage and attacks via this new surface/vector. In 2014, a HP Study found that 71 percent of mobile application vulnerabilities resided on the server. 70 percent of the most commonly used IoT devices contain vulnerabilities. HP Study Through 2015, more than 75 percent of mobile applications will fail basic security tests. Gartner Mobile and IoT Applciation typically expose their interfaces to the world via APIs, which are the mobile world s analogue to web applications. As with web applications, vulnerabilities are rampant in the mobile applications as well. Most Mobile/IoT applications and their APIs are quickly developed in order to get into the market as soon as possible. This leads to cutting corners and insufficient application of good security practices during development. As previously mentioned, many mobile applications do not have the same level of authentication security as their web counterparts. At times, these apps use spoofable information such as device identifiers and geolocation data for authenticating users. The HP study of IoT devices found that: 90% of devices studied collected at least one piece of personal information. of devices used an unencrypted network service. devices that provide user interfaces were vulnerable to a range of issues,

90% of devices studied collected at least one piece of personal information. of devices used an unencrypted network service. Barracuda How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services 6/10 devices that provide user interfaces were vulnerable to a range of issues, such as persistent XSS and weak credentials. of devices, along with their cloud and mobile application, enable an attacker to identify valid user accounts through account enumeration. Barracuda Web Application Firewall Protects the API Infrastructure Firewall protects the entire API attack surface. As a reverse proxy, it intercepts and inspects all traffic to the API for malicious inputs. Using Virtual Patching, the Barracuda Web Application Firewall enables you to immediately remediate any known vulnerability in the API or framework. It provides a secure SSL/TLS stack that uses only strong ciphers and supports perfect forward secrecy. SSL/TLS can be offloaded to the Barracuda Web Application Firewall and help relax the API infrastructure. To improve mobile and IoT security, the OWASP has compiled two lists of the top 10 vulnerabilities that affect mobile and IoT applications. Firewall provides complete protection against all the server-side vulnerabilities on this table (Note: M = mobile, I = IoT): VULNERABILITY M1 - Weak Server Side Controls I1 Insecure Web Interface M7 Client-side Injection I7 Insecure Cloud Interface I8 Insecure Mobile Interface DESCRIPTION A mobile or IoT application typically works by exposing APIs for client applications to use. In many cases (due to trying to quickly get to market on time), insecure coding practices lead to multiple vulnerabilities in the API. These bugs can expose almost everything bad that can happen on the server side to the world. Some IoT applications also provide a web, cloud, or mobile-based front end configuration and monitoring. These contain the same vulnerabilites that any web application could be hit with. Client-side injection attacks are typically SQL injection, JavaScript or XML-based attacks from a compromised mobile client. These attacks could be used to perform data theft, privilege escalation attacks, etc. This typically occurs when user inputs are not sanitized before execution. BARRACUDA WEB APPLICATION FIREWALL SOLUTION Employs a mix of positive and negative security for filtering all inputs from the client application to prevent known and unknown (zeroday) attacks. It blocks any inputs that can be executed unintentionally inside interpreters. It also deep inspects all parts of the client request to detect script injection. Firewall normalizes all payloads for common encoding schemes prior to inspection and applies the protocol and limit-based checks. Finally, it inspects all XML and JSON inputs to detect obfuscated malicious payloads that are meant to evade detection.

VULNERABILITY M3 - Insufficient Transport Layer Protection I4 Lack of Transport Encryption DESCRIPTION A mobile application that uses SSL/TLS may not implement the solution properly. Very often, authentication happens over SSL/TLS, but other transactions that follow happen over plain text. In some cases, data may be weakly encrypted. In others, strong encryption may be in force, but security warnings are ignored or fallback (in case of failure) is in plain text. Very often IoT devices do not have transport encryption enabled for their local web interfaces or APIs. This causes a major problem with all data being transmitted in plain text and vulnerable. BARRACUDA WEB APPLICATION FIREWALL SOLUTION Implements strong cryptography in SSL offloading and Instant SSL. With Instant SSL, it can provide a secure front end immediately without any changes on the server side. This ensures that SSL is always on for the application, even after authentication. Firewall also supports Perfect Forward Secrecy. M5 - Poor Authentication and Authorization I2 Insufficient Authentication/Authorization Mobile applications often overlook an important aspect of application security: strong and secure authentication, and authorization systems. This is typically done in the interest of usability. When implemented, the mobile application may use authentication along with spoofable contextual values such as device identifiers or geolocation. Compromise leads to unauthorized access and privilege escalation attacks, among others. Any IoT application that provides a web or API interface could be vulnerable to the same poor AA schemes as mobile and web applications. Can pre-authenticate API services or completely offload authentication to itself. It integrates with existing authentication systems (LDAP, RADIUS, etc.), and supports client certificates, CRL and OCSP. It can whitelist and validate API keys in any part of the requests. Firewall enforces verb-based security constraints and access control to restrict access to specific methods for resources using its granular profiling capabilities. M8 - Security Decisions via Untrusted Inputs M9 - Improper Session Handling At times, specific security decisions (like authentication and authorization) are taken based on weak parameters such as cookies,tokens, etc. For the sake of usability and convenience, mobile application sessions are typically longer than web applications. Many apps maintain sessions via http cookies, SSO tokens, or use device identifiers as persistent tokens. When compromised, it can lead to privilege escalation and unauthorized access typically used to circumvent payment for the app services. It enforces session security and integrity by signing or encrypting tokens to prevent MITM attacks. I5 Privacy Concerns An IoT device or application that collects sensitive data can be vulnerable to all of the issues discussed above. Provides full server-side protection to the IoT application during connection setup and transmission as discussed in the above sections. In addition to the vulnerabilities listed above, the Barracuda Web Application Firewall also protects your mobile application against other attacks. It can prevent competitors or price watching websites from scraping your API and pulling your information from your website. These requests, which can impose an excessive load on your backend, are mitigated by using brute

force and anti-ddos policies. Firewall enables you to ensure SLAs to customers and business partners by having granular access policies to different resources. Firewall also allows you to scale more efficiently by offloading authentication and SSL/TLS from your backend servers. REST APIs are chatty by nature and offloading SSL/TLS to the Barracuda We b Application Fi rewall re laxes yo ur infrastructure. Th e Barracuda Web Application Firewall s connection multiplexing feature allows you to optimize these connections. It keeps a pool of connections open between the server, and it also multiplexes all client requests between them. This also ensures that your infrastructure is spared the impact of constant connection setup and teardown. Being a reverse proxy, the Barracuda Web Application Firewall enables caching for your API. This speeds up API delivery and reduces server load. Being HTTP aware, the Barracuda Web Application Firewall will only cache safe methods (GET) and avoid caching unsafe methods (POST). The Barracuda Web Application Firewall s compression module can compress XML or JSON data in responses, improving delivery of services over bandwidth constrained mobile networks. Conclusion As a security solution, the Barracuda Web Application Firewall provides complete and powerful security for mobile and IoT applications and services. It provides award-wining protection against hackers who leverage protocol or application vulnerabilities to instigate identity theft, denial of service, or data theft against your mobile application. Firewall has data center ready functionalities such as load balancing, SSL offloading, high availability clustering, and third party reporting integrations that make it a powerful and easy-to-use solution. With more than a decade of experience in securing web applications, the Barracuda Web Application Firewall is the proven solution used by many of the largest organizations in the world to secure their valuable assets against web threats. Whatever your platform of choice be it physical, virtual or cloud the Barracuda Web Application Firewall can protect you everywhere. About Barracuda Networks, Inc. Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use, and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud, and hybrid deployments. Barracuda s customer-centric business model focuses on delivering highvalue, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit barracuda.com. Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners. US 1.0 Copyright Barracuda Networks, Inc. 3175 S. Winchester Blvd., Campbell, CA 95008 408-342-5400/888-268-4772 (US & Canada) barracuda.com Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners. Barracuda Networks Inc. 3175 S. Winchester Boulevard Campbell, CA 95008 United States 1-408-342-5400 1-888-268-4772 (US & Canada) info@barracuda.com barracuda.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information