Application Security

The importance of security

Any company with a significant online presence has most likely faced a cyber attack, whether they’re aware of it or not. For e-commerce specifically, the cost of a cyber attack can be very high, in terms of direct costs through revenue and infrastructure usage from the attack. as well as indirect costs attributed to brand loss and resources it takes to overcome an attack.

Cyber attacks occur in many ways – denial of service (DoS) attacks that try to bring down websites to deny users from accessing your website, attacks trying to steal product or pricing information for competitive purposes or ransomware attacks where attackers hold the application infrastructure hostage and demand large sums of money to “release” the infrastructure. Often, the most damaging attacks result in application owners losing control and access over their application. These attacks can be perpetrated through the front-end by targeting weak points of the application path, or by sending an inordinate amount of traffic to bring the application down. But they can also come through the backend – by changing the filesystem and inserting malicious code or executables that can be easily exploited. Security solutions must cater to both dimensions of attacks to ensure complete protection.

How to make an e-commerce storefront more secure

Web application security first requires a complete understanding of the different areas of exposure to attacks. Counter-measures then need to be applied to proactively protect against the known list of cyber attacks, while building an effective perimeter to protect against unknown attacks. All of this requires an e-commerce business to have a deep understanding of web application security, research capabilities into security threats on the Internet, real-time monitoring of application traffic, and writing policies to respond effectively when attacked. Often, this is not a core skillset available in many e-commerce businesses, but Webscale can help.

How does Webscale deliver security?

Webscale is the only multi-cloud SaaS solution that can offer true 360-degree web application security, by securing transactions from the browser, to the Webscale data plane and deep into the application infrastructure. This includes monitoring and analysis through machine learning, detection, mitigation and ongoing protection. The deployment is a combination of a decentralized control plane and a distributed data plane that “fronts” application traffic, and real-time backend monitoring and control that protects the application infrastructure (or origin). Threats identified by Webscale are instantly blocked, typically without reaching the application infrastructure, reducing load and future capex spend for your infrastructure as well as protecting your brand and revenue. Malicious file insertions are instantly identified, servers are quarantined and attackers are blacklisted to provide automatic real-time origin infrastructure protection.

The Webscale security toolkit has many features available to address security needs.

Web Application Firewall (WAF)

With our broad experience in the digital commerce space combined with end-to-end control over hundreds of web applications on multiple platforms including Magento, WordPress, WooCommerce, Drupal, Joomla, Ruby, Angular, and more, we have deployed a next-generation Web Application Firewall (WAF) purpose-built for digital commerce.

Our Web Application Firewall automatically protects critical web applications from the most common vulnerabilities such as SQL Injections, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and other OWASP top 10 threats. It also allows businesses to upload, create, and configure custom security rules to meet their particular security needs, all from within the Webscale portal. Webscale automatically includes WAF rulesets specifically fine-tuned for many applications, including digital storefronts.

PCI DSS Compliant

Webscale has been PCI DSS Certified since 2014. As of Dec, 2017, an external Qualified Security Assessor Company (QSAC), RSI Security, has validated that Webscale successfully completed PCI Data Security Standards 3.2 Level 1 Service Provider assessment and were found to be compliant for all the services.

Service provider levels are defined as:

Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually

View Certificate

HTTPS, HTTP/2 – SSL/TLS

HTTPS transactions have become the standard for the web, especially anything that involves sensitive information like e-commerce transactions. With search engines now using HTTPS as a factor in determining the ranking of your websites, support for HTTPS is no longer an option. Webscale can convert your application infrastructure from HTTP to HTTPS without any changes on your side. We procure digital certificates on your behalf and manage the entire lifecycle of the certificates so you don’t have to do anything. We also maintain the latest versions and ciphers of SSL/TLS, the underlying security layer to all HTTPS web transactions, deprecate the older ones ensuring you always have the strongest level of security. HTTP/2 is the evolution of HTTP and the latest standard of the web, offering vast improvements in performance and in built TLS. Webscale automatically enables HTTP/2 for all customers.

App Shield

It is critical for the application origin infrastructure to have the same strong protection that the web traffic accessing the application has. This ensures attackers cannot circumvent the cloud security solution and exploit the origin and databases directly. Webscale’s App Shield is a single-click security mechanism that instantly blocks any traffic accessing the infrastructure directly. Any traffic now accessing the application has to pass through the Webscale data plane, WAF and other included security barriers.

Bot Management

Bots can comprise a large portion of traffic to a web application. While some of these bots are good and help with the searchability of your site, many have malicious motives and can hijack your site (perhaps, hold it to ransom), take over customer accounts, steal sensitive information like credit card details, cause DDoS attacks, or scrape valuable content (pricing, inventory, images and more) for the competition. All of this can cause irreparable damage to your brand reputation, customer loyalty, and competitive advantage, ultimately leading to a loss of revenue. While good bots should be allowed, bad bots need to managed or blocked.

Webscale’s Cloud Bot Manager uses a combination of techniques to detect malicious bot attacks, such as IP reputation-based filtering, user agent based identification, behavioral analysis based on machine learning (by tracking suspicious activity and behavior over time and across multiple accounts), anomaly patterns, browser tests (using JavaScript execution), and classification. Once identified, bad bots can be blocked proactively, or dealt with by delaying responses, rate limiting, etc., or in the case of scrapers, sent to an alternate backend with inaccurate information. Search crawlers can also be managed appropriately after they access the application.

Intrusion Detection

Sophisticated cyber attacks are multi-dimensional. A common means of cyber exploits occurs at the code level, where malicious agents are inserted into the application backend file system, and web requests are made to those agents to steal sensitive information, such as credit card data and identities. True end-end security is needed, going beyond the web traffic and deeper into your application. Webscale is the first of its kind to mitigate such attacks with Intrusion Detection. Webscale can constantly monitor and manage any code and asset changes to your infrastructure, alert you of any changes, and also automatically quarantine servers andor keep out malicious agents from infecting the site’s users.

Web Controls

Targeting cyber threats requires the ability to adapt to the varying nature of attackers, as well as the patterns used to identify them. Many security solutions require the use of a specific language, or they task administrators with the burden of learning of an entirely new language altogether. Webscale’s Web Controls solve this problem by providing a very simple do-it-yourself policy engine that matches on one or more conditions and configures an action associated with the match. With an extremely intuitive user interface (and similarly easy to use API), Web Controls can be used by administrators, support teams, or any Webscale portal user, to configure policies that act on traffic in real-time, and provide the required protection without the need to learn any new skills.

DDoS Shield Mode

DDoS (Distributed Denial of Service) attacks have become increasingly prevalent, especially with online retailers. DDoS attacks go after web applications with a deluge of requests from bots, automated software tools on the internet, that attack applications to bring them down and take them hostage in exchange for ransom payments. Webscale’s DDoS Shield mode provides one-click instant DDoS protection, requesting validations for human access and keeping out all bots that are attacking the application.

Address Sets

Address sets, as the name implies, are groups of IP addresses on which site administrators can perform specific actions based on business and security needs, from within the Webscale portal. These enable site owners or administrators to easily configure security policies, create blacklists / whitelists, block certain types of threats, etc.

Address sets can be used to store IPs or geos that are to be blocked (blacklist), permanently or for a short period of time, or allowed (admin IPs) to access the application.

Address sets are used to identify trusted sources, such as search engine bots or CDN edge nodes so they can be allowed in and responses to them can be optimized.

Address sets are also used to identify attackers or group suspicious intent, and take actions. Actions on these sets can range from blocking permanently, rate limiting, or challenging the requests to prove they are human.

Malware Scanner

Webscale’s Malware Scanner has the ability to automatically detect several types of malicious threats, including viruses, trojans, malware, and spyware, across platforms. Our 24x7 security operations team uses it to scan the entire web application environment, alert site administrators to cybersecurity threats lurking within, and implement measures to mitigate them.

Virtual Patching

Any application can have undiscovered vulnerabilities that may be exploited by attackers. Once these vulnerabilities are exposed, it still takes time between the application vendor creating a fix and you applying the patch. During this window, your application is exposed to attacks and a potential loss in brand and revenue. At Webscale, we solve this problem by having our security team constantly monitor application feeds, then create and apply security policies instantly as vulnerabilities are exposed.

TAKE ME BACK TO THE PLANS