When I use a website - when I purchase a service or subscribe to a newsletter, I am giving you my personal information.

I will gladly enter my name, address, email address and even my credit card number. You will also have information on things I like, what I purchased and even what I have looked at. This information is very powerful.

It can be used for targeted marketing, to suggest other items that I might like.  It can also be passed to others who may use it in a similar way, so long as strict national and European laws governing how this data may be treated are adhered to.

In my eyes we’ve made a deal: now that I have provided you with all this data, you have a responsibility to protect it.

Do you know how to protect it?

"Sure, we use SSL, the data is encrypted"

"We have dual firewalls and IPS devices protecting our network"

"All personal data is held in an encrypted database"

I hear all of the above every day, and it still amazes me that people, some of them very senior UK IT professionals, think that these measures alone will protect the data that they are responsible for.

The majority of attacks on web sites or companies today are not focused on the perimeter; they are application based.  For example, if someone uses an SQL Injection attack to extract information from your database, it does not matter that it is encrypted; the command is still executed by the web server and passed to the database. All encryption serves to do here is to hide the attack from existing protection mechanisms.

Similarly, how do you know that when your app sets a parameter for a user, that this parameter has not been changed when it comes back to the application?

A typical network based security device does not have the ability to track this kind of application information.  Adequate protection is technology that understands your specific application.

WEB Application Firewalls (WAFs) are such devices. A WAF sits in front of your application servers and proxies all user requests and responses. It can also perform other functions, such as SSL offload or load balancing.

Because it sits in line it can see all user sessions but, more importantly, it can see and understand the server responses. This allows it to understand what has been requested and what is been served in the response. For example:  When a user accesses the site, the Web app sets a unique session ID for that user.  The WAF also tracks that session with an encrypted cookie containing more information about the user. This ensures that if someone were to hijack that session ID, it would be blocked as all the information would not match the information that was held in memory by the WAF.

The WAF will parse the complete request before passing it to the app server. This is important because many attacks are hidden within encoding, or split across multiple requests. These types of attacks can be missed by traditional security devices because they are valid http requests, but a WAF will execute this code before passing it to the app server and block the attack.

Also, because the WAF can see the response, if something was missed in the request, it can detect sensitive information returning from the server and this can be blocked, such as error messages, and personal information.

When speaking to developers about issues like this, the stock response is "Why would someone use the application like that, that is not how I designed it".

This is understandable, but ignores the fact that until an app is released to the public, you cannot truly see what users will do. Despite best efforts, you cannot cover all the bases.

A WAF can learn the flows of your application and make sure that good users don't do bad things, usually by accident.

For example, a user bookmarks a page in your app. They return to your site a couple of days later via this bookmark. Maybe your app was not designed to be accessed like is and they receive an error because they were not assigned a session ID. A WAF can make sure there is only one entry point to your app and redirect users to this without them even knowing, improving the user experience and retaining customers.

So now that you have all my personal information, please protect it. That’s the kind of deal I’d feel more comfortable making.

 

Technorati Tags: , , , , , , ,