Web Application Security-development trend of attack and defense confrontation

Struts2 S2-032 at the end of April let the security of the rivers and lakes and set off a storm, many websites have been recruited, hacker intrusion caused a variety of major losses. According to the history of Struts2 vulnerability outbreaks, each vulnerability publication has a profound impact on the government, banking, securities, insurance, and other industries. This is no exception. Website Web security has always been a public concern. Let's talk about this topic.

Web application security status quo

More than half of websites with Web application data leaked, causing significant financial losses
Frequently-occurring Enterprise website security incidents, extortion by hackers and malicious attacks by competitors
 More and more websites begin to connect their businesses to cloud computing services and take full advantage of the advantages and convenience of cloud computing.
 Website administrators are paying attention to website security and will use security products for protection.

Challenges for enterprises

 How to maintain real-time updates to Web vulnerabilities exposed daily, which are harmful and have a wide impact?
 Continuously receives a large number of security alarm logs, but I don't know how to start it?
Websites are vulnerable to website security risks exposed by third-party vulnerability platforms?
Why is the page displayed slowly or even unable to be opened and powerless when a website is attacked by a large number of bots?
Hacker attacks are helpless from traditional Web attacks to business scenarios, such as credential stuffing, data capturing, and SMS interface abuse?

Solution

As a mature website protection product, WAF has become an essential tool for enterprises to provide security protection for Web applications. It can defend against targeted Web technology attacks, some business logic attacks, and massive bot malicious access. Through in-depth analysis and detection of Web applications, it can block SQL injection, cross-site scripting attacks, prevent malicious scans and other common Web attacks, and provide vulnerability repair capabilities.

New features in cloud security

As a traditional security protection product, WAF has been developing for many years. However, in recent years, with the popularity of the cloud computing market, WAF has developed a new access method: cloud deployment. By using a simple DNS record change, the traffic is introduced to the cloud Protection Cluster. After the security protection detection, the security traffic is returned to the source server. Compared with traditional protection methods, it has the following features:

 Products + data + operations are integrated to achieve the best protection effect. The traditional security protection mode only provides a variety of products. But it's not just about buying a security product. Security requires constant big data analysis models and adaptive adjustment of protection policies to cope with ever-changing security trends, and constantly refined product operations. Alibaba Cloud has a huge advantage in data and Operation. What customers need to do is to give us the information about their own business and security.

The Ingress has no deployment, no installation, five-minute access, and is fast and stable. You can quickly enjoy security protection with simple changes, no complex machine room wiring, and machine shelving operations. Multi-cluster deployment ensures business stability.

 Real-time protection against 0-day vulnerabilities. On-cloud security experts perform real-time monitoring, and vulnerability-based protection rules are instantly distributed in the cloud, eliminating the need for complex upgrade procedures in traditional modes.

 The protection capability is automatically extended and shared with cloud websites. Cloud users, including protection rules generated by Taobao and Alipay, millions of malicious IP address credibility databases, and malicious samples, are automatically covered by your website.

The Ingress cluster can be scaled elastically to easily defend against massive businesses. Traditional Protection modes are difficult to meet the needs of sudden business spikes (such as flash sales promotions) and massive bot attacks, however, the elastic resizing and big data learning capabilities in the cloud computing era have all turned these capabilities into the past.

 In terms of business, combined with anti-fraud, risk control, human-machine identification and other related technologies, without modifying the application code, it perfectly meets business protection requirements such as anti-credential stuffing, anti-crawling, and interface abuse. In combination with products, it can work together with CDN to create secure acceleration traffic, it is also a one-click activation of Alibaba Cloud DNS, which seamlessly integrates with Alibaba Cloud DNS to meet various application scenarios of users' businesses.

A new way of cloud WAF development

It is true that cloud WAF has been criticized. For example, attackers can bypass WAF to directly access the origin site address for targeted attacks; after the service is falsely reported, the website rules cannot be customized, the data privacy leaks, and the security of the private key in the HTTPS service. However, after several years of technological development, these technologies have all become history and are no longer the weakness of cloud WAF. Instead, they are replaced by the following changes:

Compliance. Actively fulfill the requirements of PCI-DSS certification to meet the requirements of enterprises for data security. Protects databases against injection, capturing, and other unauthorized behaviors to avoid data leakage. To address enterprises' concerns about the security of the private key in the HTTPS service, the Keysafe solution is released, without the need to upload the private key. It also supports security protection for encrypted traffic.

Strict. Attackers can bypass targeted attacks against previously specified origin site IP addresses. On the one hand, security access control can be implemented on the origin site server, and only cloud waf ip addresses can be accessed. Other targeted accesses are prohibited; on the other hand, the website traffic is completely protected by cloud WAF to achieve website stealth, so as to avoid exposure of real addresses.

Worry-free. Make full use of the big data advantages of cloud computing to establish a normal website model. It can clearly sort out the normal business request model of the website and prevent zero-day vulnerabilities from being bypassed. Normal business requests are not mistakenly blocked. The early warning mode is enabled at the initial stage of website access to ensure the normal operation of online services, and to make the website maintainers clear the business error reports in the shortest time.

Comprehensive. High-performance SSL support and data link encryption. More protection capabilities cover business scenarios such as credential stuffing, interface abuse, business fraud, risk control and identification.

Caring. Customizes various fine-grained protection policies for websites and URLs, provides user-friendly and customizable error and blocking pages, and provides the best user experience for websites. Everything can be customized to create the one you want.

WAF is an essential protection tool for financial industries with extremely high data privacy requirements. Alibaba Cloud WAF (ps: // www.aliyun.com/product/waf "> https://www.aliyun.com/product/waf) not only supports website security protection for customers in the cloud, but also supports security requirements for customers outside the cloud, easy one-click access through DNS switching. In addition, Alibaba Cloud Security provides various security services (such as White box testing, black box testing, penetration testing, and mobile application testing) for the financial industry, and strives to provide customers with security solutions.