The importance of web security - Vulnerabilities hidden in web applications -

This is Ohara from the technical sales department.

This time's theme is "Web Security".

There are many web applications that are conscious of trendy designs and playfulness as efforts by companies to attract customers and sell on the web also
important to be conscious of
``web security'' I would like to write about "WAF" , which makes these security measures possible

■ What is WAF?

"WAF" (Web Application Firewall)
is a firewall specialized for applications on websites.

The main role is

- Sites that accept input from users
- Sites that dynamically generate pages in response to requests, etc.

It plays the role of protecting websites such as those mentioned above from unauthorized attacks.
Unlike general firewalls,
it is characterized by the ability to analyze data content at the application level.

A few years ago, WAF
was an expensive solution that could only be used by a limited number of companies due to the difficulty of implementation, high
. With the advent of
cloud-based WAF , which does not require complicated operation and is inexpensive it has become one of the best options for website defense.

■ Current status of web applications

Ideally, more thorough testing and evaluation would be important before releasing a web application, but
web application development is also a constant race against time. With a limited development schedule,
it is difficult to completely eliminate vulnerabilities no matter how much work you do,
so I think the reality is that you have to give up and start the service at some point.

■ Vulnerability type and risk level

of vulnerabilities that are commonly targeted by attacks on web applications, including
"SQL injection," "cross-site scripting (XSS)," and
"cross-site request forgery (CSRF)." Moderation can be mentioned.

In order to develop web applications that ensure security,
it is a huge burden for developers to constantly understand this information and countermeasures.

● SQL injection

An attack on a website linked to a database, in which the program that queries or manipulates the database is fraudulently manipulated to tamper with the database or obtain information.

● Cross-site request forgery (CSRF)

"post," "delete," "purchase," "unsubscribe," and
"send message" on web applications such as bulletin boards and online shops, causing users to
execute commands they did not intend.

● Cross-site scripting (XSS)

that intentionally exploits security flaws in applications that dynamically generate web pages and
injects malicious scripts into them.

In this way, web application vulnerabilities
have become a familiar problem that always haunts development and operation.

■ Summary

I feel that website falsification and information leaks are now no longer someone else's problem, regardless of whether it is a company or an individual

Even companies that don't have a lot of money to spend on web security measures
- based services, as they are easy to implement and can be implemented quickly.

I would like to introduce a cloud-based WAF that I personally recommend.

●Scutum

https://www.scutum.jp/

It is said to be the world's first cloud-based WAF and has been installed on 1,500 sites.

●IIJ WAF Solution

http://www.iij.ad.jp/biz/waf-sol/

This WAF is available in both on-premises and cloud formats.

*By the way, our company Beyond also handles
the cloud-based WAF service if you are considering web security measures, please feel free to contact us!