The Compounding Challenges of Web Security, as Told By Fantasia

The Sorcerer's Apprentice

In a famous segment of Walt Disney’s animated classic Fantasia, Mickey Mouse plays the role of a brash and inexperienced apprentice to a master magician. Looking for an efficient way to complete his chores, he casts a spell on his broom, which begins sweeping the floors by itself. The situation soon spirals out of control as the broom’s activities intensify and the apprentice magician finds the broom no longer obeys him. Worse, when he chops it up into small pieces, hoping to stop the madness, he unwittingly creates an army of enchanted brooms, thus accelerating the havoc.

It is easy to draw a parallel between this folk tale and the modern state of the Internet – a system that is almost magical in its colossal potential for improving lives and businesses, but that also comes with its own uncontrollable hordes of miscreants.

Businesses of all kinds are feeling pressure to move more activities online to aide efficiency and growth. The web, however, is a platform originally built for sharing academic papers, not for conducting sophisticated business processes and transactions. Venturing outside the well-worn paths of simple web pages and corporate IT apps always invites risk.

Much like Mickey, a novice who’s thrilled by the potential of powerful magic, businesses moving to the web are meddling with something they cannot fully control.

The Army Grows

If bringing business processes to the web is risky to begin with, augmenting and improving those web experiences only increases that risk factor. Online commerce demands both speed and consistency. To deliver, companies turn to various proxies and services to help handle payments, processing, customer service, reviews and other tasks that may not be core to the traditional business. This allows for faster, cheaper processing of inbound and outbound data but in doing so exposes a business to the potential risks associated with using third party servers and applications.

These interconnections extend the challenges of maintaining a safe internet presence so that even the wizards within internal IT departments cannot keep up. The variety, severity, and sophistication of attacks are pandemic. The not-for-profit association OWASP publishes and maintains a summary of the ten most critical Web application security flaws, listed in the adjacent callout box. Each of these ten flaws is severe enough to allow attackers to take control of a site, and two of these – A5 and A9 – cannot be rectified using normal procedures. With these tools, hackers can run wild like the self-replicating brooms.

Reining In the Horde

With the proverbial “broom army” growing every day, a new crop of security solutions has developed specifically around complex modern web applications. A major player in this category is the cloud-based Web Application Firewall (WAF). WAFs differ from the “on prem” datacenter-based security solutions like traditional firewalls in that they cover the full breadth of an application, not just the bits that the company owns. They are not replacements for existing security, but are a crucial additional filter in a modern web that has data flying back and forth from billions of sources with billions of destinations.

The key benefit of a cloud-based WAF is that it can intelligently sense when things are wrong, while still allowing for the level of interconnectedness that drives the modern web. Functionality includes performing packet inspection to verify the validity of requests and blocking or throttling traffic based on geography or IP address. Then there is the key “cloud-based” portion. Since the current generation of WAF is offered as a service, based in the cloud, businesses can avoid much of the painstaking work involved in building a WAF.

For a different type of simile: if traditional security measures are like a medieval castle, with few and highly controlled entry points, WAFs are like a combination of video surveillance and on-the-ground police force covering an otherwise open cityscape. Access is granted by default – people are moving freely throughout – but if they break the rules, they’ll be dealt with swiftly. In other words, a WAF allows for increased security without reverting to a pre-modern way of conducting online business.