0 to 100 mph: Accelerating Visibility for Application Security

In a drag race, how quickly you get off the line sets the tone for the race. From there it is all about acceleration to maximum velocity in a short distance to beat the clock for the best time on the track. In web application security there is another kind of race, the race between the attacker and defender. In this race time is also a factor, can the defender detect and protect against attacks before the attacker is able to exploit flaws in the application? To detect, you need visibility. To detect when time is of the essence, you need accelerated visibility.

In this blog post, I want to highlight what I like to call, accelerated visibilityor “going from 0 to 100 mph out-of-the-box”, with Signal Sciences. If you are defending web applications I’d bet you’ve attempted to get visibility over what threats are hitting your applications in production, and it’s likely you’ve attempted this using access logs. However, I’m sure you found access logs to be very limiting for all the reasons covered in James Wickett’s post, “Why Logs aren’t Enough for Security”.

Having visibility into the what, where, and how of injection attacks helps you to understand how your application is being targeted. This information enables you to react in realtime when necessary as well as prioritize your application security resources, e.g. static and dynamic analysis.

Key visibility question:

– Do I know what attacks are targeting my web applications today?

Automated threats are prolific and probe continuously. Depending on your application and web server configurations this probing could uncover vulnerabilities. Understanding what type of automation is targeting your apps, and what resources they are targeting, enables you to make adjustments to where needed to avoid exposures or block this activity.

Key visibility question:

– Do I know if my web applications are at risk to exposing useful information to automated probes?

The source of traffic accessing your applications is an indicator of potential threats. Knowing where legitimate requests should be sourced from and seeing where requests are actually source from enables you to distinguish threats.

Key visibility question:

– Do I know what traffic is sourced from Tor exit nodes or another datacenter, and if so can its legitimacy be verified?

When something in the requests to your applications just doesn’t look right, a threat may be lurking. Normal requests from a legitimate user accessing applications with a typical web browser will not contain anomalies. Even requests from legitimate API clients will be (should be) well formed.

Key visibility question:

– Can I see which requests contain anomalous attributes in order to determine the nature of those requests?

Getting to know how your applications behave operationally is another critical component to understanding when.

Key visibility question:

– When errors in my applications occur, can I determine if they are a result of an operational exception or attempts at exploitation?

Accelerate Your Visibility

If you’re not able to answer all of the key visibility question above in the affirmative, then you are not in the driver’s seat to be able to protect against threats facing your applications today.

Having such visibility puts you in the driver seat, giving you the ability to out pace attackers and defend your applications in real-time. The examples I’ve highlighted above demonstrate how Signal Sciences can help you jump off the starting line and quickly accelerate to maximum visibility. It launches your application security from 0 to 100 mph in seconds!