Today, security has become a crucial part of the development, deployment, and delivery of web applications. We deliver our applications with an ever‑increasing velocity that allows us to stay competitive. In a constant process of transformation, we adopt new technologies and methodologies in order to stay agile – often including the latest and greatest open source tooling, components, and application stacks. This velocity enables us to provide what our customers want and need from our applications, but what are the risks of such fast‑paced innovation?
The Rise of Open Source Vulnerabilities
RiskSense, a vulnerability management firm based in Silicon Valley, recently published a study titled The Dark Reality of Open Source. The goal was to identify the threats to application security that come from open source products. Alarmingly, the number of Common Vulnerabilities and Exposures (CVEs) for open source software increased by 130% between 2018 and 2019, from 421 to 968. Moreover, it took 54 days on average for vulnerabilities to be added to the National Vulnerability Database after they were publicly disclosed, leaving organizations that use the software “exposed to serious application security risks for almost two months”.
In recent years, open source software vulnerabilities have been the cause of many major data breaches, such as the Apache Struts exploit (CVE-2017-5638). This exploit allowed attackers to pass specific HTTP request data containing Object‑Graph Navigation Language (OGNL), which allows reading and setting properties within Java as well as method execution. This allowed attackers to perform a remote code execution (RCE) attack and in 2017 led to the breach of over 143 million accounts at Equifax. Given the number of vulnerabilities in the open source landscape, how do you protect your users, your network, and most importantly your data, against these malicious attacks?
How WAFs Help with Open Source Software Security
The overall solution to security can be complicated, but the most important piece of the puzzle is a web application firewall (WAF). A WAF protects your web applications by filtering, monitoring, and blocking malicious HTTP/S traffic destined for the web application, and preventing unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. As with any security strategy, you need defense in depth. A WAF doesn’t block all exploits. Patching and maintaining a supported version ensures you can mitigate Zero‑Day exploits.
Let’s look at another example. According to the Open Web Application Security Project (OWASP), one of the most common and malicious attacks that can performed on your web application is SQL injection. The attacker exploits a vulnerability to execute malicious SQL statements from within the web application, which in turn expose sensitive data from a database. This attack is so common that it is #1 on the list of OWASP Top 10 attacks.
Here at NGINX, we know how important security is to our users. When creating NGINX App Protect, we leveraged NGINX’s powerful architecture to help you achieve your security goals. NGINX App Protect is a modern, high‑performance, and reliable application security solution. With a design based on F5’s market‑leading WAF, the product runs natively on top of NGINX Plus and integrates security controls directly into your application. When developing NGINX App Protect, we kept the same philosophy as with previous NGINX products, focusing on performance, scalability, and a lightweight architecture.
NGINX App Protect is a modern WAF designed to sit close to your applications, providing additional protection beyond a perimeter WAF. It can be fully integrated into DevOps and CI/CD frameworks to:
- Enable strong security controls to be integrated seamlessly with NGINX Plus
- Outperform other WAFs for improved user experience
- Reduce complexity and tool sprawl while delivering modern apps
Let NGINX App Protect shield your applications so that you can focus on the lifecycle and innovation of your products and solutions. Contact us to request a free trial. And if you’re running NGINX Open Source, consider moving to NGINX Plus for added Zero‑Day protection for CVE patches released to customers first.