Consistently maintaining high-security standards for web applications is no easy task. Yet, with 68 percent of web applications open to the threat of a breach of sensitive data, according to research by Positive Technology, it is critically important to ensure the utmost security of these public-facing applications. This is especially true for our customer that provides its customers with sensitive business data over its web interface. With a strong cloud presence and the need to ensure the security of its web application — and its customer’s data — the company’s security team decided to migrate to AWS WAF, using AWS WAF rules, and AWS Shield for DDoS protection.
As the customer’s security team began adopting AWS WAF, it noticed that some customers were having trouble accessing the system. Indeed, it was discovered that some customer requests were blocked by the WAF. Yet, determining why this happened was a challenge for the security group who called in our AWS consulting services team to help. As we dug further, we learned that customer queries were being blocked by the WAF because the firewall was identifying the requests as a potential SQL injection.
What is AWS WAF?
AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It gives you control over which traffic to allow or block by defining customizable web security rules.
AWS WAF SQL injection
A SQL injection is a commonly used attack approach in which malicious SQL statements are inserted into an entry field for execution. In this way, hackers can gain access to important information from back-end databases. Naturally, the security team used AWS WAF to create rules to block SQL injections and other common threats like cross-site scripting. They also implemented OWASP rules for protection against the most common web application vulnerabilities.
The first step was to study the requests that were being blocked and determine the root issue. At the web accessed user interface, the customer enters a plain English request that is translated into a SQL query. User requests and API calls were then blocked by AWS WAF because the request had SQL queries embedded in it.
AWS WAF rules
Realizing the issue, our AWS security specialists quickly got to work to construct custom rules that would still block SQL injection attacks while allowing genuine customer queries to continue. Our approach included analyzing URI patterns to white list and update WAF rules to not block known traffic.
However, by its very nature, the white list approach is a process where new genuine customer requests will be identified on an ongoing basis. As a result, we continued to identify new requests where the customer couldn’t access data because WAF blocked the query. In these cases, we altered the rule to white list the query.
AWS WAF CloudFormation
The AWS WAF rules were written as Infrastructure as Code (IaC). Specifically, when code was merged into a branch in AWS CodeCommit, the CI/CD server would detect the code change and deploy the AWS CloudFormation template. From here, QA tests were automatically executed.
Managing custom rules is a long-term commitment
Knowing that managing a white list with custom rules is a long-term commitment, we taught the security team how to write, edit, and manage WAF custom rules and the white list moving forward. In this way, the team is now fully equipped to create white list exceptions for any genuine customer query that is inadvertently blocked by WAF.
The security team was ultimately able to achieve the best practice benefits of AWS WAF. As stewards of highly sensitive customer data, the security team has effectively enhanced its security with managed rules that grow protection against web attacks. Also, they have increased their visibility into web traffic and integrated security more tightly with their web applications with DevSecOps automation and cloud-native services.
In the end, the security team has a robust set of custom AWS WAF rules for its white list, allowing its customers to continue to see the benefits of its solution. Now, when a customer logs in to learn more about its business — from sales and marketing to manufacturing and shipping analytics — the data is available at their fingertips. And, the security team can actively manage the solution moving forward, ensuring complete customer satisfaction.
*This was originally written by Flux7 Inc., which has become Flux7, an NTT DATA Services Company as of December 30, 2019
Post Date: 4/24/2020