Hyperguarding your Web Applications

Posts Tagged ‘Cloud Applications’

dWAF as SaaS available through AWS

Posted by hyperguard on November 10, 2009

Today we announced hyperguard SaaS—the industry’s first dWAF as a SaaS through Amazon Web Services (AWS).  AWS customers or solution providers can protect applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The solution solves the limitations of traditional WAFs being forced to secure cloud applications, which they weren’t specifically designed for.

It is highly scalable and ideal for virtualized resources—AoD hosts the resource-heavy pieces of the dWAF on Amazon EC2 and leaves just a small footprint on the customer’s AMI. Therefore, hyperguard scales simply with the number of web server AMIs that run the customer’s application being protected without a need to purchase additional AMIs.  This allows customers to pay on a use-case basis and avoid investing in intensive solutions.

hyperguard SaaS provides web application security monitoring, detection-only and protection modes. For additional information or to test the service for free go to http://aws.artofdefence.com

Posted in Post | Tagged: , , , , | Leave a Comment »

Danger. Danger, Will Robinson! (enough with the panic, please)

Posted by hyperguard on October 13, 2009

The sky is not falling on cloud computing because of the Microsoft Danger / Sidekick fiasco (sorry John D., even end-user license agreements aren’t going to hold back cloud adoption). All this hubbub is good for the industry, even if it’s sparking radical pundits on both sides. The Cloud Computing Interoperability Forum (CCIF) member Reuven Cohen sums it up well. If you haven’t read his full comment, here’s the important part:

“Let me remind you that failures happen and it happen all the time. There are whole groups at major manufacturers devoted to it, on purpose. Whether it’s on your desktop, in your data center or in the cloud. To fail is human. But to be prepared is noble.”

Being prepared to adopt new technology means different things to people. Is your cloud provider being transparent with bugs, glitches, etc? Do you have provider options (Google, Amazon, DISA’s RACE)? How is your data handled and protected? Is the cloud application security up to you or does your provider take care of everything?

Posted in Post | Tagged: | Leave a Comment »

The XaaS Landscape: Where’s Security Being Discussed?

Posted by hyperguard on September 28, 2009

The ‘as-a-service’ – or XaaS – opinion and future-casting has officially taken off. Thinking Out Cloud gives a good overview (although we have a slightly different view of the conclusion). Risk Bloggers shared a few worthy thoughts on making sure you end up with a stable XaaS (referred to as cloud) provider.

Security is the giant reality check to the hype curve here. It’s being discussed in terms of web application development from the ground-up, combined with policy changes. See Jon Oltsik’s commentary. Vendors are having their say, such as GigaSpace. Amazon of course is leading the discussion. The busy folks at Rackspace are in full tilt on the issue (as you’d expect).

So what’s missing? Only that the before mentioned musings all focus on security as a starting point before launching XaaS’s. All well and good, however, what about the raft of applications that have been pushed out of the network and live as XaaS’s right now? Are they left ‘to the wild’ as it were?

Companies can’t take the time, effort and risk of taking applications offline to refactor (or re-architect from scratch). One approach is to hook a source code scanner into your distributed Web application firewall (dWAF) to create a virtual patch until the developers can get their hands on the code and fix it. Art of Defence’s thoughts on dWAF use here.

Starting security from scratch for XaaS’s is the right thing to do, yet there are ways to shore up existing applications right now.

Posted in Post | Tagged: , , , | Leave a Comment »

SANS: “60% of Attack Activity Directed to Hack Web Sites” (!) Yikes.

Posted by hyperguard on September 17, 2009

Earlier this month, SANS Institute issued a new biannual report with some scary statistics about web applications. If you don’t have time to sift through the entire report (it’s worth a the time if you can), basically OS attacks are down, application threats are up and web applications (such as websites) are way up – 60% of the total activity according to Rohit Dhamankar of TippingPoint’s DVLabs. Mr. Dhamankar’s company provided a lot of the data for the SANS report. Here’s an excerpt for the report:

“Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

Think about cloud computing after reading what SANS has found and realize cloud applications are subjected even further to this problem. Those in the industry have known this to be the case for a long time so it’s good to see SANS making headlines with the actual data!  Hopefully the New York Times coverage helps shed much needed light on this issue.

Posted in Post | Tagged: , , | Leave a Comment »

Cloud Applications are Highly Exposed to Threats

Posted by hyperguard on August 5, 2009

Accessing cloud technologies requires a thin-client, and the world’s most commonly used thin-client for this purpose is a web browser. This means the vast majority of all applications on the Internet have some kind of web and / or application server on which the business logic is implemented. Currently, most of the money spent on security goes into firewalls and antivirus solutions, but in the last 10 years the typical target for attacks has shifted from the network layer to the application layer because the operating systems and services available to the general public were cut down. As a result, it is now easier to target the application logic or framework of an application than the actual server behind the hardened network perimeter. Applications are mostly developed by the businesses themselves and not every developer considers security the highest priority, which leads to a wide variety of problems.

The IBM X-Force® 2008 Annual Report highlights that web application vulnerabilities are the Achilles’ Heel for corporate IT security. The impact of not being able to secure these vulnerabilities is far reaching.

Stay tuned for thoughts and details on this topic.

Cumulative Count of Web Application Vulnerabilities

Vulnerabilities Consequences as a Percentage

Images 1 & 2: Cumulative Count & Vulnerability Consequences – source IBM X-Force®

Posted in Post | Tagged: , , | Leave a Comment »