Closing the Website Security Gap: Why a WAF is Not Enough

November 12th, 2019

Closing the Website Security Gap: Why a WAF is Not Enough

Web-based cyberattacks against businesses of all sizes are on the rise. Magecart, the consortium of hacking groups responsible for some of the biggest data breaches in recent years, is currently the most famous of these threats, and its presence on the web is large and still growing. But your eCommerce website presents a lucrative target for hackers that could be attacked from many angles.

One traditional method of defense against website hacks is a web application firewall, or WAF. However, this method falls short in several key ways and should not be your sole cybersecurity measure.

What is a WAF?

A WAF is a firewall that monitors and filters data as it travels to and from a website or web application. It’s a highly specialized tool with customized rules to block known threats.

If you have a site that engages in eCommerce and processes credit card data, you’re required to be compliant with PCI DSS. WAFs are a PCI requirement, so you most likely already have one in place.

So What’s the Problem?

WAFs are a widespread tool for a good reason. They’re good at what they do, which is to prevent server-side attacks on your website. If you’re facing server-side threats like SQL injections or unauthorized database access, your WAF will be a strong defense.

But that’s only half of the problem.

In the past, the code execution and storage for websites happened on the server-side. Browsers were a mere visualization tool for the HTML sent from the server. Modern websites are different—a lot of the web application code is executed on browsers, which have their own database.

Furthermore, sites these days contain more than your own code. In order to improve functionality, user experience, analytics, and more, web developers tend to bring in a wide variety of third-party elements. These can include things like CDNs, ad networks, chat agents, or performance monitoring tools, and sometimes they are susceptible to malicious code that gets executed on your customer’s browser where your WAF can’t do anything about it.

Your website has three areas of vulnerability—your server, the third-party servers, and the client device. Your WAF only has visibility into your own server.

Consequently, browser-side attacks are becoming more and more common. If you’ve been relying on a WAF alone, the time has come to start focusing on what your customers are experiencing in their browsers, including what code is executing, what content they’re being shown, and what data is being exchanged.

For more information on this subject, check out the video on our homepage.

The Business Impact

How important is it really to solve the client-side security issue?

These days we live our lives on the web. We shop, we bank, we access our health information and more. A consumer’s feelings about an organization are defined in large part by his or her experience while interacting with its website or mobile applications. 62% of consumers have abandoned an online transaction due to concerns over security—that’s a huge potential loss in revenue, and before a breach has even happened. If your web applications are compromised, consumers won’t forget—one survey showed that nearly 70% could correctly identify companies that had been breached.

Shoring up your client-side protection is also important because Magecart and similar groups are still evolving. While the current focus of these attacks is leveraging third-party elements to skim credit card information, tomorrow’s attack could take a new form, and it will pay to be ready.

Protecting Both Sides

WAFs have come a long way in recent years. Many vendors are creating next-gen web application firewalls that are even stronger than the traditional model. However, they still don’t solve the problem of client-side attacks.

For that, you need to combine your server-side WAF with a solution to safeguard your browser side. Tala’s Application Information Model is ideal for tracking this information because it focuses on the behaviors on each website page and detects anomalous activity in real-time.

The solution that protects both sides should provide full visibility to help build your model. Gaining greater visibility into browsers and third-party apps and the activity at all of these sites is critical to getting a full picture of where threats are coming from. With this data collected, you can automatically put together a comprehensive behavioral model to analyze behaviors of JavaScript codes and other apps to detect any malicious intent.

Tala is the ideal complement to your server-side security strategy. Comprehensive and flexible, Tala is based on established web security standards—technology that has proven itself on past threats and is ready to protect against the rising wave of browser-side attacks.

While web application firewalls do serve an important function in your IT security, they only do half the job. By supporting WAFs with an application information model you can build a complete view of your site and provide full protection.

 

 

 

Deepika Gajaria, Senior Director Product Management

Written by Deepika Gajaria, Senior Director Product Management

Senior Director Product Management