IT teams in the financial services industry have historically invested in, and deployed, web application firewalls (WAFs) to comply with Payment Card Industry Data Security Standards (PCI DSS). However, many of today’s data security professionals recognize that unprotected web applications have become attractive targets for cybercriminals looking for easy entry points into their networks.
In fact, according to recent data, 83 percent of enterprise IT executives believe application security is critical to their IT strategy. Additionally, 82 percent of respondents believe application security is highly important to their overall IT strategy.
Between legacy applications and new and emerging mobile apps, the potential attack surface is broader than it’s ever been, and the dichotomy between old vs. new presents unique and consistent challenges to IT teams.
Many externally facing web apps are potentially vulnerable to a number of different attacks. Here are a few that IT teams should pay close attention to:
Internal web apps are considered to be even easier than external apps to compromise if attackers are able to gain access to the internal network. This is the case for many financial services organizations that mistakenly believe they’re fully protected by their perimeter defenses. Custom code is traditionally one of the weakest security links for many organizations, as internal application development teams are often simply unable to stay informed of all new attack types.
Commercial code can also be vulnerable, especially when a lack of resources inhibits IT teams from applying patches and security fixes as soon as they’re available.
Sophisticated web application security services leverage information to keep web apps safe from the OWASP Top 10 list of risks, and more. They do so by utilizing such things as IP reputation services that help screen out identified malicious sources before they have a chance to do damage.
Additionally, many web application security solutions offer a correlation engine that pulls multiple events across all security layers, enabling them to provide more accurate decisions and better protect against today’s increasingly complex attacks. By combining information from all layers, organizations are able to stay ahead of nearly all application-based attacks, including those zero-day threats that standard signature file-based systems can’t uncover. Vulnerability scanning is another critical element to staying protected against the ever-changing threat landscape.
As threats continue to evolve both in number and sophistication, organizations in the financial services industry need to consider investing in a multi-pronged web application security approach. Single security devices are not typically enough to defend the entire network. And it’s also becoming increasingly important to have a centralized, unified console through which you are able to manage and orchestrate, multiple gateway devices at the same time.
FortiWeb offers the tools needed to do just that. With FortiWeb, security professionals can configure and manage multiple gateways from a single management console. If an aggregated view of attacks is needed, FortiWeb also integrates into FortiAnalyzer reporting appliances for consolidated reporting and logging.
Let’s get a conversation going on Twitter! How is your organization staying protected against today’s attacks on web applications?