Web applications are increasingly becoming malicious hackers’ favored attack vector, with over 46 percent of all data-stealing attacks now conducted via the Web according to a recent study by WebSense. And, due to data thieves growing use of automated tools, new web application vulnerabilities are being exploited within 24 hours after the threat is first disclosed according to a recent report by IBM’s xForce. Since patching is rarely a quick and easy affair in a business environment, attackers have a good chance of getting into a system before an enterprise can address a vulnerability.
Malicious hackers like web applications because they have built in, exposed mechanisms that have connectivity to the data the attacker is after -- credit card numbers and/or other exploitable information. It makes no sense to compromise an entire system when you can manipulate one application into releasing the data that you’re looking for. It doesn’t even take a skilled attacker to successfully carry out such an attack; tool kits that automate the process are readily available for less than $300. Some kit providers even offer technical support services.
And since most security protection still resides at the network, not application layer, the chances of getting caught are much lower. Additionally application attacks are much harder to catch and prevent at the network layer, because the network components don’t understand the application, its logic, or which resources should be accessed and by which user roles. Common vulnerabilities and exposures across the Web include application-level attacks such as cross-site scripting, SQL injection and buffer overflows.
WAF provides a quick solution for PCI 6.6. WAF can protect custom applications, 3rd party applications, and legacy applications - even in cases where the organization does not control the source code (as for SAP, Oracle, PeopleSoft web applications and portals) and where the people who understand the application are no longer accessible. It is also important to minimize the number of bugs in applications. No matter what tool used, this should be accompanied with code reviews, appropriate testing including such as fuzzy testing, code standards that are followed, and proper education. You can find best practices in protecting web based applications here.