When it comes to truly protecting something, one layer of security simply won’t cut it. The Secret Service knows it, Fort Knox knows it, and even Kevin McCallister knew it in Home Alone. While you may not be able to keep hackers out of your website with tar, swinging paint cans or a giant pair of gardening shears (unfortunately), the principal remains somewhat the same.
High-quality web application security — which can be used to protect websites, web services and web applications — should have four different layers of security: web application firewall, access control, bot protection, and login protection.
What’s at Risk
You probably don’t need to be told why your website needs to be protected, but with so many websites out there going without adequate protection, it could probably stand to be reiterated. Your website is home to a great deal of valuable information — your company’s, your customers’, your website visitors’, etc. If a hacker gains access this is essentially all up for grabs, and your company’s reputation and user loyalty will go flying out the window with it.
Furthermore, hackers can plant malware on your site, mess around with your database, tinker with your applications and services, or take your website offline altogether. An incident like a bot-induced DDoS attack can even damage your hardware and software. The consequences from a hacking can reverberate for months, even years. Just ask Sony.
Layer 1 of Web Application Security: Web Application Firewall
Think of a web application firewall (WAF) as your website’s bouncer. A WAF is a filter for your site, setting and enforcing the rules for how visitors are allowed to interact with your website. A WAF is classified as a countermeasure as it’s designed to identify threats and then block them.
WAFs commonly guard against Open Web Applications Security Project (OWASP) threats like cross-site scripting, which is the injection of malicious scripts into a website, and SQL injection, in which attackers inject an SQL query into your database in order to read sensitive data, modify your data, execute administrative operations, or even issue commands to the operating system in extreme cases.
The one knock against WAFs is that they tend to be enterprise-grade, and if your company or website doesn’t qualify as an enterprise, the protection you get may be bigger or more complex than the protection that can actually help you. This issue can be circumvented by investing in a Cloud-based WAF run by security professionals that allows you to set custom security rules for your specific company and website.
Layer 2 of Web Application Security: Access Control
Access control serves to protect both front-end and back-end data on your website by controlling access to your web resources. It does this by implementing restrictions on what users can do, what they can access, and what functions they can perform on any data they are allowed to access. Access control restrictions can be based on anything from time of day to IP address to the number of times any given user has authenticated that day.
Access control also absolutely has to take into consideration backdoor access to your site. In the event a hacker gets into your site, one of the first things he or she may do is install backdoor access so he or she can come and go as she pleases in the future with little effort. The access control component of your web application security has to be able to identify these backdoor access points, block access and render them useless, and notify you of their existence and location so they can be removed.
Layer 3 of Web Application Security: Bot Protection
Bot protection is beyond an essential component of your web application security. And why would that be? Because a full 95 percent of all website attacks are perpetrated by bots. And not only do bots wreak all kinds of attack havoc, but because malicious bots account for 50 percent of all website traffic, keeping them off your site will improve performance for legitimate users.
Premium bot protection wouldn’t be such a big deal if it were possible to simply block all bots. However, because there is a large amount of good bots like those from Google or Facebook that you want on your website in order to help your search engine rankings and increase your site’s visibility, that’s not an option.
Your bot protection has to be able to distinguish between good bots, bad bots and suspicious bots and treat them all accordingly. Ideally your web application security will give you a range of options for dealing with bad and suspected bots, including blocking them, challenging them with a CAPTCHA, or sending you an alert. Your web application security also needs to be on top of hacker activity so your bot protection has all available information on known malicious bots, no matter how new.
Layer 4 of Web Application Security: Login Protection
Since this article largely deals with issues such as malicious bots and cross-site scripting, it can be easy to forget that a big threat against your website and company’s wellbeing is someone simply being able to crack an administrator’s login information.
Login protection guards against this through two-factor authentication. That means that in addition to providing the correct username and password, anyone attempting to access a protected portion of your website or web resources will have to complete a one-time authentication through either email or SMS in order to ensure that they are 1.) on the list of people who have access to that portion of the website and 2.) that they are who they say they are.
Think of two-factor authentication like using your bank card in an ATM: not only do you have to have the bank card, but you also have to know the correct PIN. Those are the two factors.
A Complex Solution for Complicated Threats
Not to rain on Kevin McCallister’s parade, but what he dealt with is nothing compared to what a website can contend with in a day. Instead of guarding against two hapless burglars, your website has to deal with malicious humans and malicious bots alike, the latter of which may not even be known entities at the time of attempted attack. Fortunately, it is entirely possible for you to invest in one excellent web application security service that provides this comprehensive, all-around protection.