PureWAF Turns Five
Five years ago we noticed a trend among our customers. The same high-risk vulnerabilities appeared in consecutive penetration tests. While the underlying reasons for this varied from a lack of technical resources to the inability to make changes to proprietary software, the end result was the same. Attackers were exploiting flaws in web applications leading to both financial and reputational loss.
Looking back over the last five years, there were several important lessons learned. I will highlight one of them here. Web application are like snowflakes, each one is unique. In contrast to network devices, web applications are often custom written. This means that IDS/IPS style solutions are often not flexible enough to provide the protection required for web applications.
For example, we often see web applications that do not enforce the proper authorisation roles for a given user, e.g. a user can access data belonging to another user. By having the flexibility to query backend databases, PureWAF can enforce user role permissions without making any changes to production software. This becomes very handy when change windows are infrequent.
Another common example is price manipulation on e-commerce applications. When a backend server does not verify that a user has changed the price of an item, malicious users can make fraudulent purchases for little to no money. After several clients suffered similar issues, we developed a fraud detection module that detects credit card fraud as well as client-side parameter manipulation.
As internet connected applications play an ever increasing role in our daily lives, attackers continue to focus their attention on exploiting them for financial gain. PureWAF’s goal has always been to provide advanced protection to address tomorrow’s threat landscape today. By creating a system that understands custom attacks, correlates them against a malicious user, and reacts in real-time to contain and eliminate the threat, PureWAF is able to ensure your web applications are secure.