Why Your Web Application Firewall (WAF) Will Not Help Against Third-Party Website Attacks?

Why Your Web Application Firewall (WAF) Will Not Help Against Third-Party Website Attacks?
September 18, 2019

Why Your Web Application Firewall (WAF) Will Not Help Against Third-Party Website Attacks?

In spite of having the best web application firewall (WAF) system securing your website, the risk of a third-party web breach is all over

 

An interactive, dynamic website is the ‘online’ face of your business.
It is also a critical factor in deciding the success of your organization, but at the same time, it presents severe blind spot risks – between the user and your website.

Most secured businesses are already using top brand security perimeters such as Next Generation firewalls or Web Application Firewall (WAF) solutions on to their websites to ward off threats from cybercriminals, assuming they are reasonably safe from these online risks. However, that would not be enough in today’s ever-changing technology space, as these security measures do not protect you from web third-party threats which are presented ‘inside’ your websites – with or without your consent.

The Role of Firewalls and WAFs

Both firewall and WAF solutions monitor the traffic between the end-user and the website. Firewalls are put more emphasis on the 3rd and 4th layer of OSI layer architecture, which is the TCP/IP data,  while few claim to provide additional support for the application level. WAFs are focusing on traffic monitoring in the 7th layer, i.e., the HTTP request and malicious craft requests in specific. Together, this combination should be able to block any website attacking attempt, or any malicious activity from end-users at the website, intentionally or accidentally. These solutions can protect against attacks such as code injection (XSS, SQLi, CSRF) as well as DDoS or other misconfiguration issues. But these WAF and firewall solutions only cover the threats partially, leaving a huge third-party risk blind spot on your website.

Websites today are integrating more third-party components, but do they take all the necessary means to protect themselves?

So, What Is the Underlying Problem? Where’s the Blind-Spot?

A third-party script runs on the client-side, the user browser, and establishes a connection between the end-user and the third-party vendor itself. It means that the entire connection between the end-user and any third-party on a given website is not monitored by the existing security solutions, such as a firewall or WAF. But it gets even worse. These security tools are not even noticing the communication taking place between both the endpoints. This basically leaves you no ability to know what these third-party scripts actually do: where they run, how they are communicating with other components or remote domains. From pure privacy point-of-view, these components perform tracking independently. Once again, your capabilities to detect such actions that affect regulations, GDPR or CCPA, is still limited.

As these components are mostly third-parties, they are beginning to load when the user first visit the page. But what is loaded? It can be changed each time, depending on the vendor’s profile for the user, or  on a new version release. Even if you do use a second layer of security, such as code review or penetration testing, the conclusion is still clear – these kind of security perimeters will only be relevant for the testing day itself and several use cases in specific.

What would you do, when the vendor releases a new version, fully automatically and within the already existing connection between this vendor (or this vendor vendors’) and your end user? Security controls, such as firewall or WAF, can defend the web-server from malicious actor’s activities, but the big questions are what can protect the end-users themselves and? Which of these tools have the access to the inspected data?

Surprisingly, the average security department spends millions of dollars on creating a strong perimeter defense for the website, and validating any code that is about to be upload. But it all misses a big chunk of code: dozens third-parties code, each can bypass the process completely and get access to your most sensitive data.

 

Your indispensable third-parties: “Handle with care”

In this era of competition, the services that third-party web tools and applications offer, are invariable for enhanced functionality of any business website. However, ignoring the risk they pose will be careless, especially while considering they have access to your sensitive and confidential data residing on your website. Let’s remember, these components can access and operate your web pages from remote locations. You may think that you have protected your website with the highest degree of security; however, can you guarantee that web third-parties that are integrated into the backbone of your website and are authorized by you to perform any operation on the website, will also do the same? Maybe, or maybe not.

Are you willing to be accountable for it? Well, judging by the latest fines that were issued by the ICO to British Airways, it is evident that the theft of client’s personal data by web third-party script is a violation of privacy regulation and may result in huge penalties to the company, in this case a £183 million fine! That is a significant number for any organization. It can be avoided with deploying the right security solution for your website.