Securing web applications: complexity is the enemy of security
Public web applications and web APIs are often the most critical part of the attack surface for any organization. These are publicly exposed services that attackers continuously test to find vulnerabilities or misconfigurations. A recent attack on U.S. T-mobile illustrates the complexities and implications of the attack surface on overall posture. One API endpoint allowing a web bot to download excessive amounts of personal/business data can go unnoticed by IT operations, but that's how costly breaches occur nowadays. Even in traditional web applications such as web frontends for reading email, an unprotected or unpatched service can result in catastrophic consequences, as Rackspace Exchange users learned last year.
These examples of breaches are often the result of a combination of human factors and the increasing complexity of applications. Research such as the Verizon Data Breach Investigations Report confirms that over 80% of breaches are due to human error, configuration or design mistakes, and insufficient security knowledge.
Furthermore, web applications are now built modularly and function as a set of distributed units. These often operate as a microservices-based architecture implemented via containers. To make things even more complex, individual components can be located in different environments and on various locations: for example, in an on-premise data center with virtual machines on vSphere platform, as a container on the AWS public cloud, a serverless API in Azure, a server cluster in a collocated data center, etc. This mesh architecture of modern applications offers many benefits but also increases complexity and risks.
Protecting web applications by eliminating complexity
Complexity is actually the enemy of security: the difficulties in managing publicly facing assets open up various possibilities for attackers and increase overall risks. Even if we secure one application component, adequately managing all communication points quickly surpasses the capabilities of administrators or security teams (DevSecOps).
Partners such as MSPs managing multiple customers will usually notice that maintaining web application components distributed across heterogeneous environments is difficult and costly, with many engineering hours spent on change requests, opening ports and documenting changes (and fixing errors!). Scaling these activities to many different customers is eating into profit margins.
Therefore, the traditional approach based on a Web Application Firewall (WAF) or Next-gen firewall (NGFW) located on a single "ingress" point is becoming less effective. A distributed architecture is needed that allows for simpler implementation and maintenance (ideally through a SaaS model) and supports connecting different environments (on-premises, public cloud, microservices, containers), abstracting complexities.
Web application protection with F5 Networks
F5 Networks Distributed Cloud services, among other things, enable WAF and API protection at all points where application components can be located: on-premise, private or public cloud - addressing the key elements of the organization's attack surface. Management is centralized through the SaaS console, and the solution includes bot traffic protection, DDoS mitigation, API security, vulnerability shielding and all the other WAF functionalities needed once IT services are exposed to the public. In addition, the solution offers detailed telemetry and analytics for troubleshooting the operation of individual application components.
Read more on how to fight combat complexity and elevate application security with F5 Networks Distributed Cloud.