Hyperguarding your Web Applications

Posts Tagged ‘SaaS’

First dWAF?

Posted by hyperguard on December 18, 2009

We’re glad to see others are seeing the importance and worth in a distributed Web Application Firewall (dWAF); however, we wouldn’t call Akamai’s recent news the first WAF in the cloud.  The technology is a black list filter for requests.

Adrian Lane @ Jeremiah: in reference to Jeremiah’s point on white list vs. black list

…I am making the assumption that Akamai relieves their customers from specific ‘black list’ threats and the burden on web site WAFs, but does not relieve customers of the need to build their own ‘white list’ of policies.

Today’s WAF technology looks very differentBlack, white and gray listing is considered a basic functionality.  Proactive features like session protection, form field virtualization, learning and assisted security policy refinements are a must. Exchanging information with web application security related products, such as web application security vulnerability scanners or static code analysis tools, are a must-have.

For these reasons, art of defence launched the first fully fledged dWAF for their customers at RSA 2009.  More recently, we’ve made this service available to AWS customers or solution providers so they can protect their applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The technology behind this is going to be implemented at other various cloud service providers in the near future so they can offer a true dWAF (at least) in their cloud.

Follow the discussion on Twitter @hyperguard.

Advertisements

Posted in Post | Tagged: , , | Leave a Comment »

The XaaS Landscape: Where’s Security Being Discussed?

Posted by hyperguard on September 28, 2009

The ‘as-a-service’ – or XaaS – opinion and future-casting has officially taken off. Thinking Out Cloud gives a good overview (although we have a slightly different view of the conclusion). Risk Bloggers shared a few worthy thoughts on making sure you end up with a stable XaaS (referred to as cloud) provider.

Security is the giant reality check to the hype curve here. It’s being discussed in terms of web application development from the ground-up, combined with policy changes. See Jon Oltsik’s commentary. Vendors are having their say, such as GigaSpace. Amazon of course is leading the discussion. The busy folks at Rackspace are in full tilt on the issue (as you’d expect).

So what’s missing? Only that the before mentioned musings all focus on security as a starting point before launching XaaS’s. All well and good, however, what about the raft of applications that have been pushed out of the network and live as XaaS’s right now? Are they left ‘to the wild’ as it were?

Companies can’t take the time, effort and risk of taking applications offline to refactor (or re-architect from scratch). One approach is to hook a source code scanner into your distributed Web application firewall (dWAF) to create a virtual patch until the developers can get their hands on the code and fix it. Art of Defence’s thoughts on dWAF use here.

Starting security from scratch for XaaS’s is the right thing to do, yet there are ways to shore up existing applications right now.

Posted in Post | Tagged: , , , | Leave a Comment »