Many organizations using SaaS and serverless applications mistakenly believe their vendor fully handles security. As a result, few invest in additional security measures for these platforms. However, the reality is that most SaaS and serverless applications operate on a shared security model, where both the vendor and the customer share responsibility for protecting data and managing user access. Failing to recognize this can leave critical gaps in your security strategy.
When we account for human error, application complexity, zero-day attacks, targeted attacks, authentication/authorization attacks, it is difficult to trust that a vendor-supplied security by itself is sufficient – especially when the customer has no visibility or control over the security measures.
This is why cybersecurity-focused organizations are turning to web application firewalls (WAFs) to safeguard their SaaS and serverless applications.
A False Sense of Security
In the strictly on-premises days, network firewalls and WAFs sat in front of your network assets (servers) and protected them against threats traveling via externally or internally bound traffic. It would catch things such as malicious IPs, malware, viruses, and C2 commands and prevent insider attacks as well as outside threats. For self-hosted environments, firewalls and WAFs still do exactly that, but the nature of the average environment they’re protecting has changed.
Today, most organizations’ assets extend beyond on-premises environments, often residing in the cloud or with third-party providers like SaaS applications. While these solutions offer the convenience of built-in security features from the provider, many businesses — lacking deep cybersecurity expertise — make the critical mistake of assuming this is enough.
Why Built-in Cloud Cybersecurity Falls Short
Cloud service providers today tend to operate based on a shared responsibility model, meaning that while the provider will offer a basic (sometimes minimal) level of cyber protection, anything beyond that belongs to the client. As Fortra’s Josh Davies, Principal Technical Manager at Alert Logic, notes, “When it comes to security, cloud providers treat their clients like adults. They say, ‘We’re providing this product, these are the security features we offer, and the rest is up to you.” Unfortunately, it’s that last part that often gets missed.
While built-in security features cover things such as:
- Infrastructure security
- Application security
- Protecting stored data
They can also leave out essential threats, including:
- Targeted attacks
- Customer made changes and customizations
- Compliance and regulatory requirements
- Zero-day protection
“Every SaaS developer out there claims to operate strictly on ‘secure Dev practices’,” Fortra’s Samuel Lam, Principal Implementation Engineer at Fortra’s Alert Logic points out. “But when you look at it, there’s always something that can go wrong, and once the build has left the developer’s hands, any vulnerabilities are going to be directly the responsibility of the site or app owner.”
For example, it’s crucial to complete vulnerability scans and apply all necessary patches before deploying new applications. Ask your SaaS vendor if they do this; if the answer is “no,” then there is all the more reason to employ a WAF after-the-fact. Even with the best security precautions, cybercriminals make a living out of “cracking the code,” so if one tool in their toolbox doesn’t work, they have no problem trying another one until one finally does.
A WAF can significantly deter and block subsequent attempts, even thwarting them until the threat actor decides to pursue somebody else – likely an organization with unprotected serverless assets.
Common Web-based Threats
What threats might the owner of an unprotected website or application face? Because of their residence in the cloud and on the web, these assets are left vulnerable to attacks that can originate from anywhere.
Common web-based attacks include:
Cross-site scripting attacks
Malicious code is attached to a legitimate website and will run when the victim unwittingly loads the web page.
SQL injection attacks
At attacker slips a SQL query into a form on a webpage to manipulate the database into returning data useful to the attacker.
Password-based attacks
These can include brute force attacks, credential stuffing, man-in-the-middle attacks, and any attempt of a cybercriminal to illicitly obtain and use a victim’s credentials.
And more. Cloud computing attacks are an equal, if not greater threat, and can look like:
Denial of service (DoS) attacks
An attempt to force a website or cloud-based service offline (or render it inoperable) by flooding it with requests.
Cloud cryptomining
Borrowing (leasing or renting) cloud computing power from data centers in order to exfiltrate cryptocurrencies like Bitcoin without costly hardware.
Cloud malware injection attacks
Injecting ransomware, viruses, or other malicious software into cloud infrastructure in order to execute illicit commands and/or obtain sensitive information.
Many of these attacks can fall into the camp of both vectors, with such ploys as side-channel attacks, insecure APIs, account takeovers, and insider compromise easily added to the lists.
The bottom line: It’s a scary, threat-saturated world out there. With the amount of valuable, sensitive data that most companies trust to their cloud and web-based assets (think: CRMs), these serverless applications become lucrative targets for underground cybercrime economies (RaaS) and small-time threat actors looking to make a quick profit.
Against savvy, experienced threat actors, most out-of-the-box websites and spun-up applications wouldn’t stand a chance.
The Benefits of a Managed WAF
For many organizations, the barrier to WAF implementation may not be desire or understanding. More often than not, it is simply deployment. Davies suggests, “This is the point at which teams are typically asking questions like, ‘How do I get started? What is the resource burden? How long will it take to get up and running,’ and so forth. And Fortra can help out with that.”
For those interested in having a WAF but not risking a homegrown deployment (or having to hassle one), Fortra Managed WAF will take on the task. A veteran of hundreds of Fortra-led deployments, Lam states, “All we need is your web application’s domain name and backend IP, and we will help you set the rest up.” Our managed WAF solution takes you from the kick-off call to full protection with security analysts that remain on-hand to update and scale your policies as-needed.
By leveraging a web application firewall, teams can add an additional layer of defense to cloud-based resources that already struggle against security misconfiguration, web-based exploits, coding flaws, and more. As Lam sums up, “In a modern threat environment, SaaS and serverless resources are always going to be at risk. Because no one – not the developers, not the cloud host, not your software supply chain partners – has as big a stake in it as you do, no one cares as much as you do.”
That’s why Lam suggests, “The best thing teams can do is take matters into their own hands.” And for that, Fortra is here to help.
