3+3 AWS services to help you secure (not only) cloud-based web applications

Why web application security is a crucial issue today

It probably won’t come as a surprise to you that Web applications are among the most vulnerable across your entire application portfolio. They are usually accessible to anyone, and so anyone has the opportunity to try to „hack“ into them.

You might think that this couldn’t happen to you, or that such attacks only affect large companies. However, the data and statistics speak for themselves:

• 56 % The organisation came under attack.
• The increase compared with the previous year is greater than 50 %.
• Two-thirds The attacks were directed at smaller companies.
• For 30 % attacks may be carried out by third parties (typically out-of-date libraries).

So how can we protect ourselves?

If you’re looking for a single, specific solution, you’ll be disappointed. To ensure your web application is secure, you need to focus not only on its infrastructure, but also on the whole development cycle applications, from development through to testing, deployment and operation.

In this article, we will focus mainly on Amazon Web Services infrastructure and services, but similar services are, of course, also available in the Azure environment and Jakub Procházka He’ll be happy to introduce them to you if you’re interested.

What does web application security actually involve in practice?

In practice, web application security is not limited to the code level, but also extends to the infrastructure surrounding the application.

This time, we won’t be looking in detail at the architecture of a specific application. Instead, we’ll take a look at services that should be deployed before the application itself and which should provide her with an additional layer of security.

We usually recommend that customers implement three key services to protect the web application itself:

• DDoS protection for filtering out unwanted traffic,
• Web Application Firewall (WAF) for comprehensive protection on the seventh layer,
• Content Delivery Network (CDN) to enhance the user experience and provide protection at the network perimeter.

We therefore recommend a package of services for security monitoring, which cover the following areas:

• analysis potential security threats and their investigation,
• cloud security posture management to identify existing vulnerabilities in the infrastructure,
• threat detection and unauthorised access,
• vulnerability scanning in the deployed infrastructure.

Protecting web applications against DDoS attacks

DDoS attacks are among the most common threats to the availability of web applications. Their aim is to overload the infrastructure with traffic, not to exploit an application vulnerability.

AWS Shield protects web applications by automatically blocking DDoS attacks – completely autonomously, free of charge and without the infrastructure owner having to take any action. AWS Shield It is available in two versions:

• Shield Standard (free)
• Shield Advanced (paid feature)

Shield Standard It will provide you with protection against attacks at the third and fourth layers, typically various flood attacks. However, it is not sufficient to protect against application-layer attacks at the seventh layer.

Or rather – a Web Application Firewall will provide you with this protection (if configured correctly!), but if you’re looking for a completely standalone solution, then Shield Advanced an excellent choice that offers the following features:

• Automatic creation of Web Application Firewall rules
  Shield Advanced can automatically generate WAF rules in response to a detected attack – without the need for manual intervention. The system recognises the attack and begins blocking malicious traffic on its own.
• Financial protection
  If an attack causes AWS resources (EC2, CloudFront, Application Load Balancer, etc.) to scale, AWS will reimburse you for the costs incurred in the form of credits.
• Incident Response
  You’ll have access to a team of AWS security specialists 24/7. During an active attack, they’ll help you with mitigation, rule customisation and analysis.

One drawback of Shield Advanced may be its price, which is set at a fixed rate of 3,000 $ per year. On the other hand, this service protects all applications running in that AWS account.

Web Application Firewall (WAF) as a key layer of protection

Application-layer attacks target the logic of the web application and its inputs directly, and this is precisely where the Web Application Firewall plays a key role.

I strongly recommend implementing this key component before any (not just public!) web application.

Web Application Firewall „sees“ into the operations on the seventh layer and enables monitor the entire content of HTTP/HTTPS communications. This enables it to effectively block a wide range of application-based attacks before they even reach the application itself, for example:

• SQL Injection 
  An attacker injects parameters into forms or URLs malicious SQL code (such as ' OR 1=1 --) with the aim of manipulating database queries. The WAF recognises these patterns and blocks the request before any interaction with the database takes place.
• Cross-Site Scripting (XSS)
  The attacker inserts malicious JavaScript (or HTML code) into the input fields, so that it can then be executed in another user’s browser. The WAF filters out dangerous content in the inputs and prevents it from being executed.
• HTTP Flood and bot attacks
  An attacker or a botnet generates a large number of requests to specific endpoints, such as login forms or APIs. The WAF can limit the number of requests from a single IP address or session (known as rate limiting).
• Path Traversal
  The attacker is trying to access files outside the webroot using specially formatted URL paths (e.g. ../../etc/passwd). The WAF detects these requests and blocks them.
• Malformed requests
  Forward sends invalid or non-standard requests, often with the aim of bypassing security checks or testing the behaviour of an application. The WAF filters these requests based on headers, methods or user-agents.
• OWASP Top 10
  AWS WAF includes managed rule groups that directly cover the entire OWASP Top 10 – that is, the most common categories of web vulnerabilities.

A content delivery network as the first line of defence

Content delivery network (CDN) It’s not just about performance – from a security perspective, it’s the first point of contact between the user and the application.

You might be thinking that CloudFront After all, as a content delivery network, it primarily distributes content via a global network of edge locations closer to users. That is the tool’s main role. But from a security perspective CloudFront is the first line of defence — all traffic passes through the AWS infrastructure before it even reaches your web application.

Put simply, an attacker never communicates directly with your application. They communicate with CloudFront, and all filtering takes place at that level.

So what does CloudFront offer in terms of protecting your web application?

• Hiding a web application
  Whether the application is running on EC2, in containers or in a serverless environment, the user or attacker never communicates directly with the application, but with CloudFront. The application itself is therefore „hidden“ from the public internet.
• DDoS protection
  The AWS CloudFront network has enormous network capacity spread across hundreds of endpoints worldwide. When a volumetric DDoS attack occurs, CloudFront absorbs it and distributes it across its entire infrastructure rather than forwarding it to your application. Your application is virtually unaware of this – from the application’s perspective, normal (filtered) traffic continues as usual.
• Integration with a Web Application Firewall
  CloudFront is connected to Web Application Firewall and every request to the web application is evaluated (and, where necessary, filtered through the WAF) at the edge location – that is, as close as possible to the attacker and as far away as possible from the application itself. Malicious traffic is blocked before it reaches the application itself, which saves on computing capacity and data traffic costs.
• Caching as an additional security benefit
  CloudFront delivers static content (images, JS, CSS, HTML) directly from the cache – the application itself is not burdened at all. In the event of a DDoS attack targeting the application’s static components, the application will not „notice“ the increase in traffic at all.

How the individual layers of protection fit together

The true resilience of a web application is achieved only through a combination of individual layers of protection, each of which addresses a different type of threat.

Individual services AWS Shield, AWS Web Application Firewall and Amazon CloudFront they can also function independently, but Ideally, you should combine all three. This ensures that your web applications receive comprehensive protection against DDoS attacks at any layer, as well as protection against both known and unknown application threats.

Layer	Service	What it addresses
Network (L3/L4)	AWS Shield (Advanced)	Volumetric DDoS, SYN flood, Security Response Team, Automatic WAF configuration
Content Delivery Network (CDN)	Amazon CloudFront	Handling high traffic volumes, source masking, geo-blocking
Application (L7)	AWS WAF	SQL injection, XSS, rate limiting, the OWASP Top 10 and other application vulnerabilities

How to secure on-premises applications (outside the AWS environment)

The principles of web application security remain the same regardless of whether the application is running in the cloud or in an on-premises environment. So if you’re wondering, How do you secure an application that is not running in an AWS environment?, the answer is: exactly the same!

In the AWS environment, you only implement application security services and route all background operations to your existing data centre.

This approach makes it possible to unify the protection of both cloud-based and on-premises applications under a single security architecture, without having to change the application stack itself.

Secure Web Applications: Summary and Recommendations

Web application security should not be an optional extra these days, but the natural standard. Web applications are, in fact, routinely exposed to attacks at various levels, and relying on a single measure is simply not enough.

Effective protection is based on a combination of several layers that complement one another – from protection against DDoS attacks, through a Web Application Firewall, to the role of a Content Delivery Network. Only a properly designed architecture can mitigate attacks before they affect the availability or security of your web application.

Whether you run your application in the cloud or on-premises, the principles remain the same: layer security, minimise the attack surface and address security right from the architecture design stage, not only once an incident has occurred.

Would you like to know more? For example, how can you detect threats and vulnerabilities right at the application code level? Which tools can be used? And what might (or should?) the ideal secure Continuous Integration and Continuous Delivery pipeline for your applications look like?

We’ll discuss this in one of our future articles Cloud Encyclopedia, when we will focus on secure application development.

ARE YOU INTERESTED IN THE TOPIC OF WEB APPLICATION SECURITY?
PLEASE GET IN TOUCH – WE’D BE HAPPY TO DISCUSS YOUR EXPERIENCES WITH YOU.