Over the years, one question amongst prospects and clients seems to dominate the agenda. The question derives from a statement (paraphrased);

"We already have a firewall in place, and intrusion detection and preventions systems. Why do we need additional security to protect websites and/or web applications?" 

OR 

"How is it possible for the website to be hacked while all the web servers are well protected and monitored 24x7 by the IT team?"

To answer these questions, we often use a visual representation describing multiple security layers that most companies may already have in place to safeguard their most critical digital assets. While it's not a comprehensive or complete list, vast majority of business leaders understand the concept:

End-Point Layer

• Anti-virus
• Anti-malware 
• Intrusion Prevention

Transport Layer

• TLS / SSL (HTTPS)
• Other encryption protocols

Access Control Layer

• Access Controls
• Authentication

​Network Layer

• Perimeter Firewalls
• Unified Threat Management (UTM) (intrusion detection, anti-virus, anti-spam, content filtering, data loss prevention, etc.)

Application Layer

• Web Application Firewalls
• Code Security (against vulnerabilities)

While ideally, all the above components must be in place, there is no guarantee that your network, and/or a web application won't be penetrated for variety of reasons, including internal threats by people with access to your core systems. In any event, having most or all components in place would significantly minimize the risk of intrusion and data loss. 

The Application Layer is still the most misunderstood security layer amongst business leaders since to many people, it's a relatively new threat. Traditional firewalls, while evolved over time, are not generally designed to protect web applications. Additionally, web application protection is a skill, hence such proficiently should not be expected from your webmaster, software engineers or the IT team.

The two most critical components of the Application Layer defence are Web Application Protection, and Code Security. If your business develops and utilizes custom software, you must ensure that your code is explicitly tested to detect any known vulnerabilities. Moreover, such testing must be performed after every significant code change, such as changes resulting in a new software release. 

At the same time, Web Application Protection is generally achieved by implementing a web application firewall (WAF), a firewall specifically designed to identify application level threats and block them. Such technologies have been around for over a decade, and have matured significantly, incorporating machine-learning algorithms that are capable of learning using large data sets, to quickly identify and prevent a threat.

While the silver bullet of information security is yet to be found, general awareness and high-level understanding of multi-layered protection will, at the end of the day, help your business prosper. While some business leaders see information security benefits as intangible, think about a possibility of being hacked, and losing either your intellectual property or customer data.

Great post by Dentons concerning the recent ruling. If you or your company serves EU based clients, it's a must read.

Read more