Growing Web Applications Require DevSecOps Shift: ModSec Can Help
Web-based attacks, such as credential theft, code injection, SQLi, XSS, CSRF, malware, ransomware, denial of service (DoS) and others make digital transformation and cloud migration a potential losing trade-off. With every additional internet- and cloud-based app or connection comes new unknown vulnerabilities and risks to operations. These attacks are of particular concern to organizations with websites and web-based applications bearing sensitive data and to the companies that host these applications and systems. Failure means compromise of private data, fines and loss of customers and market confidence.
Web hosting companies are in an extremely competitive market and want to be able to scale both processing and security for more productive levels of business. The scaling of processing enables them to get the most out of their OSs and expanded business software utilization, hence serving more customers with less resources while maximizing profits.
Examples of the web hosting tools that help them with this include cPanel and Plesk, which provide big economic advantage by allowing hosters to serve thousands of customers via a single system. Such solutions divide up the server environment into subdivisions, scaling more effectively than virtualized systems or even AWS.
However, web hosting companies leveraging multi-tenant installations, automation, virtualization, and other economies of scale have arguably more at stake than they did in traditional hub-and-spoke architectures of yesteryear where each customer server was protected by a dedicated firewall.
Security has to keep up with this new efficiency paradigm through DevSecOps, where security software is implemented on each server to protect each customer on that shared server. Hosters can’t just put a firewall in front of the multi-tenant server or servers; this only protects from the outside in and would still make it possible for customer and domain accounts to attack the shared server from inside, while dedicated security appliances create single points of failure and can slow traffic down to the server. It’s just one primitive wall and moat in front of everything valuable.
Web hosters have to protect their customers’ websites and domains, regardless of whether they resell servers to enterprise customers, host multi-tenant server environments for them, or host a domain for them (e.g., via Plesk). The server should come with reliable on-device security, and the hosted environment must be protected against both hackers and customer workload cross-contamination.
ModSecurity for Web Hosters
ModSecurity, a free web application security module with decades of proven value, can fit the bill, but it’s not easy for the user organization to get the most out of the rule set without extensive technical expertise, which is why numerous, competing vendors serve up ModSec web application firewall (WAF) rules as inexpensive commercial offerings that come with support.
This vendor market just shrunk, however, as on August 1, 2021, Trustwave announced the end of sale for Trustwave support of ModSecurity. Trustwave added it will extend end of life (EOL) support for existing customers only until July 1, 2024. This means that Trustwave will not provide further service, security updates, fixes, or new rules as of the July 1, 2024, EOL date.
We’d like to propose a slightly different strategy: Leave it up to the open source community and to Atomicorp.
Atomicorp offers the most experienced team of experts in the ModSecurity space. We have written additional security features into the ModSec code base, and also have developed the world’s largest ModSec rule set, selling it as a subscription service and supporting these rule set customers for nearly 20 years. Atomic ModSecurity Rules turns the ModSec rule set into a toolset that is favored by web hosting companies; their security teams no longer have to worry about false positives, or rely on firewall appliances in front of every server or hosted multi-customer installation. Instead, they can more easily deploy mature proven yet evolving security software across devices and VMs that not only protects their servers but each individual customer’s servers, applications and domains.
On this note, Atomicorp is hosting a webinar on ModSecurity December 9th, 2021, from 1 p.m. to 2:30 p.m., U.S. ET.
Join us in:
- Exploring how to develop security into your adaptive infrastructure including rapidly deployed web servers, or virtualized server instances.
- Bringing in zero trust endpoint protection principles to your web architecture. Everything that a good firewall or firewall-as-a-service (FWaaS) offers should be applied to your endpoint devices: this means malware protection, FIM, vulnerability detection; i.e., overall defense in depth.
- Extending cloud security. Attacks are angling in from the Web but also from where your network meets the cloud, so you need the ability to monitor, filter, and repel traffic inward and outward through file integrity monitoring (FIM) and vulnerability detection.
- Defending against network-wide attacks; DoS and brute force attacks. Atomic ModSecurity Rules and Atomic WAF bring powerful protections to ensure you don’t succumb to a knockout blow.
Register for the ModSecurity webinar to learn how to:
- Scale security as you scale your hybrid internal and cloud data environments.
- Use ModSecurity to securely support almost any environment.
- Reduce false positives and false negatives.
- Visualize, report, and meet compliance requirements such as PCI DSS, NIST, HIPAA, and more. Atomic WAF adds a management console and a graphical user interface (GUI), facilitating compliance and reporting.
- Combine perimeter protection with strong defense-in-depth security against lateral attacks, in a single smart solution. Atomicorp provides layered zero trust protection and expert techniques toward repelling not only shots at the perimeter but at deeper penetration.
Register for the webinar.
Learn more about our ModSecurity solutions.