OWASP Top 10 #7: Insufficient Attack Protection [Updated 2019]
“Security is always seen as too much until the day it’s not enough.”
This quote by William H. Webster, an American attorney, jurist and current Chairman of the Homeland Security Advisory Council, pretty much defines the complexity of the new entry to the OWASP (Open Web Application Security Project) Top 10 Series: A7-Insufficient Attack Protection.
Since A7 was introduced during OWASP Top 10 – 2017 rc1 in April 2017, it caused somewhat of a controversy, as it directly refers to both Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP). And since apparently it was unilaterally pushed by Contrast Security, a RASP vendor, the uncomfortable conflict of interest is quite obvious.
Controversy aside, understanding what ‘insufficient attack protection’ really means is rather an interesting exercise. For instance, A7 basically applies to every sort of web application, meaning that most (if not all) companies that have the most basic IT/Systems structure should give some thought to it.
Do You Even Have The Necessary Technology?
The first step is considering any source that may access or send requests to your application, either from a local network or the internet. What readiness level is necessary to adequately detect and respond to anomalies and automated or manual attacks? Do you even have the necessary technology for doing so? While the early detection and blocking of incoming attacks would greatly improve the security level of any web application, this can prove to be a challenge since most applications or APIs do not have this level of protection out of the box.
This sort of exploitation may arise from known users or anonymous sources. Usually it starts with some basic reconnaissance (such as using a port mapping tool) and expands into the usage of web vulnerability assessment tools (e.g., Burp Suite or OWASP’s ZAP) that will allow the discovery of possible security flaws for future exploitation. Also, you should not forget the possibility of a skilled cracker using stealth tactics for discreetly probing your application for vulnerabilities that, again, could be later exploited.
Hopefully, provided you have the necessary tools, it is always possible to act early on and stop reconnaissance/scanning from becoming a full blown exploitation. For instance, as OWASP suggests, using technologies like WAFs and RASP can help in detecting or even preventing incoming attacks, but it is important to avoid basing your entire application protection efforts on technology.
When using solutions like WAFs and RASP, aside from any level of protection they may provide, you are essentially expanding your attack surface. And since most solutions will work by filtering the traffic to your web application and looking for probable attack patterns, it is more than likely they are using regular expressions, which are actually vulnerable to Denial of Service attacks.
So, what is the best approach to complementing the use of WAFs, RASP and similar technologies? As usual, actual protection requires expert knowledge, and in this case, the task falls to your development team. How about luring attackers with something as simple as a honeytrap? For example, an experienced coder can easily create dud parameters, such as fake forms or cookies, which, once manipulated, will trigger an alarm function and even may provide your security team with basic information (e.g., source IP address and timestamp) allowing further analysis or simply blocking the attacker.
Since this dud parameter has no actual function on your web application, you can be sure that whenever it is manipulated, there is a good chance an attack is happening. This simple approach is quite different from what is done by WAFs, RASP. The focus is not identifying the type of attack; what you really want is to be alerted that an attack may be underway and to have basic information to work upon. If properly done, this is a simple, elegant, effective and frankly inexpensive solution.
With this simple example, it becomes clear that human expertise is a key asset for web application protection. Again, we are not dismissing the importance of technical solutions, but they are far from being completely effective out-of-shelf, and may even introduce undesired side effects.
The best approach is combining both factors to create a sufficiently protected environment. But here lies the challenge: appliances such as WAFs, RASP and basically any other security solution can be expensive but, for most cases, they are readily available. Given the current cybersecurity skill gap, experienced professionals can be hard to find.
Educating Your Organizations With Security Best Practices
This is where the Infosec Institute can help you. We have ample experience in educating developers, designers, architects and even organizations with security best practices. Investing in your team, and making sure they have an in-depth understanding of the role of security in the software development lifecycle, can be of immense value to your organization. Advanced knowledge, such as how to avoid coding mistakes, understanding what may be exploited by cybercriminals and using this information to detect and avoid attacks on an application level, goes far beyond what even the best technical solutions may provide.
Evolving your development team into security experts may be a simple question of selecting the best education provider. Do you want to grow advanced skills at a fast pace? Then Security IQ is your best choice for online learning. We provide dedicated modules to each OWASP Top 10 Web Application Security Risks. You can try it for free! Enrolling can be done in a matter of minutes, and the ‘Personal’ membership option allows up to ten learners to check for the basic functions of Security IQ.
Another great option is our OWASP Top 10 Boot Camp, a unique experience focused on providing a good mix of attention getting lectures, hands-on secure coding lab activities and engaging group exercises. There is no doubt about it: this is the most current, up-to-date hands-on secure coding training. We take pride in providing the opportunity to learn from the very people who do it: our instructors are active and expert developers, with proven field experience in secure coding. Our track record says it all: we have trained more developers secure coding courses than any other training company.