We’re going to start the new year discussing the need for a Web Application Firewall (WAF), leveraging security frameworks and libraries for source code, and a new service called Bugalert that will notify you of any high/critical severity vulnerabilities on the fly.
To use a WAF or not to use a WAF
WAF effectiveness is a heavily-debated topic as it might be difficult to determine the efficacy of a WAF. WAFs can be beneficial whenever the following conditions are met:
- The cost of fixing the vulnerabilities is higher than implementing a WAF; or
- The amount of traffic that will be blocked is lower than your tolerance threshold.
You can also use a firewall to implement mitigations that prevent bots and scrapers from reaching your website, offer application layer security, and allow/ban the listing of IPs. A simple implementation of a WAF could include using a Captcha or a Javascript challenge for reducing these types of bots. You can use a WAF as a proxy to allow for specific traffic while banning the rest.
An important takeaway about WAFs is that they’re not a set-it-and-forget-it solution. They require tender loving care from inception to the deployment of the WAF. It requires a dedicated staff/team to maintain the WAF to optimize its use continuously.
The ideal way to approach a WAF is to treat it as a solution that’s predominantly designed for blocking unwanted traffic to your web application.
Leveraging security frameworks and libraries for secure code
Implementing secure code on your own can be a cumbersome task to execute properly. Attackers can abuse tiny slivers of your code to make your application vulnerable.
Regarding the ability to secure your code, there are frameworks and libraries that allow you to focus on security while allowing you to focus on building your product. This article from Github discusses different methods and factors that may help you evaluate what you should look for when using these frameworks and libraries.
Whenever you’re deciding what libraries to use, you should consider these five factors:
- Is the package widely used?
- Does the package have a good reputation?
- Are there good reviews about the specific library?
- Is the package actively maintained?
- Does the package have maturity?
- This is a good indicator that there’s a clear roadmap with most features being consistently implemented.
- Are the package’s security issues being fixed in a timely manner?
When you’re dealing with web frameworks and want security in those frameworks, it’s important to determine what security tasks (XSS output encoding or input validation) should be handled by the framework.
An important factor to consider when using a web framework with some form of security embedded in it is to allow the framework to handle the data encoding for you. When you let the framework handle the data encoding for you, this will mitigate the chances that a user will miss or incorrectly implement a security measure. If you’re going to allow possible insecure behavior, there should be a thorough analysis of the allowed behavior and the realization that it’s not the default.
When incorporating libraries and frameworks, it’s important to update the dependencies in your source code. You can use Software Composition Analysis tools such as GitHub Dependabot to keep your dependencies up to date.
Bugalert
After the log4j vulnerability, a security professional, Matthew Sullivan, released a new service called Bugalert, that alerts security and IT professionals for any high and critical vulnerabilities. Bugalert’s only goal is to quickly notify severe software flaws via email, phone, or SMS.
Bugalert is currently for contributors to develop and improve upon its program. For anyone interested in contributing, feel free to open a Github issue.
Comments