As more and more data travels across the web, opportunities for hackers multiply. The device you used in the late 90s was at a lower risk of being hacked than the device you use today. Your web application is even more at risk today since it is composed of multiple vulnerable components. The risk gets higher each year as attackers' techniques get bolder and more sophisticated. The reality of computing in the modern age is that securing any one part of an entire system is not enough to defend against real attacks. Thinking broadly and holistically about a security solution end-to-end is the right path forward.
Today, some companies take the approach of implementing multiple solutions to protect against external attacks – application attacks, mobile threats, or DDoS attacks. Take, for example, malware pretending to be legitimate software on your mobile device, a tried and true attack that is used to execute malicious code on a device. To prevent such attacks, most people use vulnerability scanners on their mobile device. They just stop there and assume they are being protected.
Or take man-in-the-middle attacks as another example. Some companies just protect the data during transmission by instituting encrypted protocols like HTTPS in hopes of routing data around the web securely. Unfortunately, this doesn’t protect them from protocol-level vulnerabilities.
Security should be an integral part of coding your website and protection should follow at every step along the end-to-end content delivery path – not just before application deployment.
What are the points along the content delivery path? We see the web application security world divided into three parts:
- The server where the content originates and web applications are executed
- The middle mile across which the content is transported
- The browser where the content is consumed
Within each of these parts, there are a set of threats and applicable defenses. Essentially, you want to layer on protection at each point along the path and that defense in depth increases your confidence in your system.
Embedding enforcement mechanisms directly into the app code itself, and implementing defense mechanisms at the server side, middle mile, and browser, all protect the application integrity.
Our goal is simple – maintain the integrity, availability, and confidentiality of an application the way that the developer intended it to be consumed.