We all can agree that cyber attacks are on rise. Be it Yahoo's data leak in 2013 where 1 billion user accounts were compromised or the more recent Equifax data leak which affected its 143 million customers, these events show the increased risk each web application is facing. Web applications are the bones and flesh of today’s businesses, and are often soft targets for damaging attacks. Unfortunately, applications need to access, collect, process, and relay sensitive data to execute business logic. Web application security is paramount for businesses that provide services using sensitive data. To understand the problem in more detail, we should examine what occurred in the case of Equifax—the attack is mind boggling in its scale and damage.
Citrix NetScaler’s recently exposed security exploit, which allows attackers to bypass authentication and take full control of the load balancing infrastructure, is frightening. But it is hardly a standalone incident. Every product from every company may eventually succumb to a critical vulnerability. This raises some good questions around security. How does a vendor test the security of their product? If vulnerabilities are inevitable, what is the vendor response and customer strategy?
If you take a look at the load balancer discussions on various online forums, you will notice that load balancers often result in outages. Ironic, isn’t it?
This article originally appeared in Dark Reading on Apr 15, 2016.
The advantages offered by the container model go against many of the assumptions of traditional security mechanisms. Here are 5 new concepts & 4 best practices you'll need to understand.
The news coming out of Hackmageddon, that January reported an unusually low number of Attack Techniques", was quite disturbing. Did the security industry really manage to get the upper hand? Wait for it...oh, here comes another devastating vulnerability!
I recently read an interesting blog post on an ADC vendor’s site that demonstrates a Rube Goldberg approach to showing common SSL information. Now I won’t name names but I will admit that it inspired me to write a quick blog post to show the business-ready alternative to the science project approach!
I’m pretty certain that whoever first uttered the phrase “anything easy isn't worth having” was no IT administrator. This certainty derives from the seemingly path-of-least-resistance attitude that many enterprises hold when it comes to enforcing stringent levels of encryption security for public infrastructure including their websites. We’ve previously blogged on the excuses many enterprises make for their lax encryption practices, but it’s worth examining what I believe is the primary culprit for this: lack of visibility and insights into their security profiles.
The cold truth: You are rarely secure when you connect to an SSL encrypted web site. The browser shows a happy little lock icon, and you think nothing further on the subject. But recent revelations and exploits, such as NSA, nation states and others scooping up vast quantities of Internet data, courts ordering websites to give up their SSL keys, Heartbleed leaking session data, have proven that we need to revisit the level of security used by web sites.