Introduction to Application Security and API Protection
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
1 hour 13 minutes
Difficulty
Beginner
CEU/CPE
1
Video Transcription
00:00
>> [MUSIC] Welcome to this session on CloudGuard AppSec.
00:00
In this session, we'll take a deeper look at
00:00
CloudGuard AppSec and how it is deployed.
00:00
By the end of this session,
00:00
you will be able to describe how
00:00
CloudGuard AppSec works to
00:00
protect cloud-based web applications and
00:00
APIs, and you'll be able to perform
00:00
an initial deployment and
00:00
configuration for both application
00:00
security and API protection.
00:00
Web applications or programs that are
00:00
accessible to users via a web browser.
00:00
Organizations can use APIs
00:00
that allow programmatic access to
00:00
their web applications or
00:00
underlying services supporting applications.
00:00
As organizations shift to the cloud,
00:00
they also shift the services required to
00:00
build an axis such applications.
00:00
As we've discussed earlier in this program,
00:00
assets in the cloud,
00:00
such as applications and APIs
00:00
have an increased attack surface.
00:00
This, together with the sheer speed
00:00
which they are developed, deployed,
00:00
and updated can lead to
00:00
increased compromises and vulnerabilities.
00:00
Traditional rule-based web application firewalls,
00:00
also known as WAFs,
00:00
are simply insufficient in protecting
00:00
the increasingly complex cloud-based web applications.
00:00
At the core of this incompatibility is
00:00
the notion that any solution requiring manual
00:00
tuning of application security will never match
00:00
the pace of development and
00:00
deployment of applications in the cloud.
00:00
This is because traditional WAFs
00:00
are based on static rules,
00:00
whereas the process of development and deployment of
00:00
cloud-based web applications is more dynamic than ever.
00:00
Adding to this dynamic is
00:00
the fact that cloud-based web applications
00:00
interact with potentially numerous third-party services
00:00
outside of the perimeter.
00:00
In effect, there are now
00:00
hundreds of perimeters to secure.
00:00
Finally, there is a major issue
00:00
of privilege escalation in the cloud,
00:00
which is not properly addressed by WAFs.
00:00
Attackers that infiltrate and application will look
00:00
for API keys to other applications or resources.
00:00
Due to poorly configured role-based permissions,
00:00
remote code execution can
00:00
be much more harmful in the cloud.
00:00
Here's a quick example of
00:00
a vulnerable cloud-based web application
00:00
which displays power meter readings.
00:00
A hacker performs a SQL injection directly to
00:00
the web application from
00:00
the browser to zero his electricity bill,
00:00
regardless of his consumption.
00:00
Later, he figures out that he can
00:00
actually make the system work for him
00:00
and pay him for consumption
00:00
>> instead of the other way around.
00:00
>> Using a local application he developed,
00:00
>> he attacks an API used by
00:00
the web application, reversing the charge.
00:00
These kinds of attacks are
00:00
relatively easy to commit for hackers who
00:00
face weak protection in
00:00
the form of traditional cloud-based WAFs.
00:00
The better alternative to
00:00
rule-based binary WAFs is CloudGuard AppSec.
Up Next
Instructed By
Similar Content
