Imperva

Imperva Application Security mitigates risk for your business with full-function defense-in-depth, providing protection wherever you choose to deploy – in the cloud, on-premises, or via a hybrid model. Imperva offers advanced analytics to quickly identify the threats that matter, DDoS protection with a 3-second mitigation SLA, a developer-friendly Content Delivery Network (CDN) for the utmost performance, Web Application Firewall (WAF) solutions, bot protection, Runtime Application Self-Protection (RASP) for security embedded into the application itself, and more.

What is web application security

Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.

Perpetrators consider web applications high-priority targets due to:

The inherent complexity of their source code, which increases the likelihood of unattended vulnerabilities and malicious code manipulation.
High value rewards, including sensitive private data collected from successful source code manipulation.
Ease of execution, as most attacks can be easily automated and launched indiscriminately against thousands, or even tens or hundreds of thousands of targets at a time.

Organizations failing to secure their web applications run the risk of being attacked. Among other consequences, this can result in information theft, damaged client relationships, revoked licenses and legal proceedings.

Web application vulnerabilities

Web application vulnerabilities are typically the result of a lack of input/output sanitization, which are often exploited to either manipulate source code or gain unauthorized access.

SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend database so it reveals information. Consequences include the unauthorized viewing of lists, deletion of tables and unauthorized administrative access.
Cross-site Scripting (XSS) – XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSStakes place when malicious script is reflected off of an application onto a user’s browser.
Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.
Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.

In theory, thorough input/output sanitization could eliminate all vulnerabilities, making an application immune to unlawful manipulation.

However, complete sanitization usually isn’t a practical option, since most applications exist in a constant development state. Moreover, applications are also frequently integrated with each other to create an increasingly complex coded environment.

Web application security solutions and enforced security procedures, such as PCI Data Security Standard (PCI DSS) certification, should be deployed to avoid such threats.