Hyperguarding your Web Applications

Posts Tagged ‘scalability’

dWAF as SaaS available through AWS

Posted by hyperguard on November 10, 2009

Today we announced hyperguard SaaS—the industry’s first dWAF as a SaaS through Amazon Web Services (AWS).  AWS customers or solution providers can protect applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The solution solves the limitations of traditional WAFs being forced to secure cloud applications, which they weren’t specifically designed for.

It is highly scalable and ideal for virtualized resources—AoD hosts the resource-heavy pieces of the dWAF on Amazon EC2 and leaves just a small footprint on the customer’s AMI. Therefore, hyperguard scales simply with the number of web server AMIs that run the customer’s application being protected without a need to purchase additional AMIs.  This allows customers to pay on a use-case basis and avoid investing in intensive solutions.

hyperguard SaaS provides web application security monitoring, detection-only and protection modes. For additional information or to test the service for free go to http://aws.artofdefence.com

Posted in Post | Tagged: , , , , | Leave a Comment »

Why is Cross-site Scripting Still a Problem?

Posted by hyperguard on September 24, 2009

We had some great feedback from developers in LinkedIn about this issue. Some thoughts worth sharing below.

Brian Hidgen chimed in with his thoughts:

“I perform security code reviews of internally written and commercial packages every day. It is stunning how many problems I see. Why does XSS still happen? For one, time pressure. Developers are under time constraints to deliver so they cut corners and push things out. Management for the most part does not take security seriously or they adopt a see no evil mindset and ignore the problem until they get bitten down the road. Lack of understanding is a big one too. I have been a developer for a long time and I was not trained or even sensitized to the issue until relatively recently. I know a lot of my colleagues past and present are in the same boat. We aren’t doing Cobol on a mainframe either, we are all Java/.Net/Ajax/Web 2.0 developers. The problem simply isn’t well understood and not enough attention is paid to it.”

Milton Smith shared a little more with us:

“The problem with XSS, and cyber security in general, is awareness. People don’t see security as a problem until it impacts them. Next, highly secure software is a consumer EXPECTATION. It’s not generally a feature consumers are willing to pay extra to include in their products.

Building secure solutions takes: education, training, tools, process improvements, etc. As such, it’s all too easy for commercial software vendors to bargain away the features consumers cannot see, like security. Other areas of non-functional requirements suffer as well: performance, scalability, reliability, and diagnostics.

The causes for XSS are well known. Poor cyber security is like showering in a glass bathroom blissfully unaware everyone is watching.”

Posted in Post | Tagged: , , , | Leave a Comment »

Jeremiah’s Right about Scalability

Posted by hyperguard on September 1, 2009

I recently read Web security is about scalability, a very interesting post by Jeremiah Grossman of White Hat Security. He discusses the importance of scalability in overcoming today’s Web security challenges. I would like to add some of my thoughts.

It has taken the industry over 10 years to realize that when dealing with Web application vulnerabilities, they must also deal with the scalability issues these applications face. This needs to happen in parallel with normal security testing. As Jeremiah highlights the incredible scaling needed today:

“Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact.”

Testing a web application on a single system (how most are tested before being sent out into the world) without taking into account scalability is costly. Once that application hits it’s performance limit it usually means a redesign and rewrite of core elements to make it more scalable, changing how and what is important to test. Think of the OWASP top 10 on Jeremiah’s scale!

Cluster computing, or cloud computing, presents a remedy to developing, testing and scaling web applications in a much more practical sense.

Flip the coin to protecting the applications once they’re live and in action, and Jeremiah’s scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.

The article Jeremiah references in his post (check here for the white paper), outlines my view of what the market needs from a WAF.

Posted in Post | Tagged: , , , , | Leave a Comment »