Posts tagged ‘Web Security’

How bfw Advertising Protects Its Web Apps

September 8, 2014 12:00 pm


By Cliff Turner, Sales Engineer, Alert Logic

bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.

The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.

A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.

Web Application Firewall (WAF) Basics

Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.

WAF Example – SQL Injection

To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.

Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.

The SQL code would go to the database looking something like this:

In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.

A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.

Alert Logic Web Security Manager at bfw Advertising

A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.

If you want to read more about bfw Advertising, you can read the case study on the Alert Logic website. To learn more about Alert Logic Web Security Manager, visit the Rackspace Marketplace.

Akamai Edge 2014: A Look at the Web Security Track

September 8, 2014 3:29 am


This time next month, I’ll be at the Akamai Edge customer conference. It’s a terrific opportunity to meet face-to-face with a lot of our customers and get their feedback on what’s working for them and what we can improve upon. A robust Web Security track of talks is planned, and I’ll be blogging about it.

Before that, I’ll be preparing some advance blog posts to give attendees a preview. This is the first such post — a glimpse at what’s on the schedule. Going forward, I’ll do previews of specific talks.

The security track will run each day of Edge. Here’s a partial list of what’s planned:

Wednesday, Oct. 8:

1:30-2 p.m.

  • Million Browser Botnet – Live Demonstration
  • DDoS Simulation LAB – How To Conduct a Live DDoS Simulation

2:20-3 p.m.

  • Incident Response Panel – From Theory to Reality
  • SSL LAB – What App Owners and Security Professionals Need To Do to Prepare for SSL Evolution

3:10-3:50 p.m.

  • The Evolution of SSL – Improving the Foundations of Internet Security, with Akamai PLXsert Manager David Fernandez
  • Security API LAB – Controlling Security at Akamai’s Edge

4-4:40 p.m.

  • The Growing Importance of Cybersecurity

Thursday, Oct. 9:

1:30-2:10 p.m.

  • Disruptive Trends in Security, with Securosis CTO Adrian Lane
  • SSL LAB – What App Owners and Security Professionals Need To Do to Prepare for SSL Evolution

2:20-3 p.m.

  • Security API LAB – Controling Security at Akamai’s Edge
  • Security Panel – Towards Security and Operations Harmony

3:10-3:50 p.m.

  • DDoS Simulation LAB – How To Conduct a Live DDoS Simulation
  • Using Client Reputation to Enhance Security, with Akamai Director of Threat Research Ory Segal

Friday, Oct. 10:

9-9:40 a.m.

  • SSL LAB – What App Owners and Security Professionals Need To Do to Prepare for SSL Evolution
  • Bypass Surgery – Akamai’s Heartbleed Response Case Study, with Akamai Chief Security Architect Brian Sniffen

9:50-10:30 a.m.

  • 2014 DDoS Threat Report, with Akamai PLXsert Manager David Fernandez