The 3 Types of Automated Website Security
By- October 24, 2012
It’s important to have a thorough suite of regular security tools, so I thought I’d take a few minutes to explain some of the different products on the market that complement what we are offering at Tinfoil Security.
For the purposes of this post, let’s say there are effectively three types of automated web security defense.
Web application firewalls (WAFs) are the first line of defense against an external attack, and typically the easiest to implement. When you implement a WAF, you send all your traffic through the provider you choose, or through your in-house appliance. They typically implement a blacklist of types of requests not allowed to hit your website, so if an attacker tries to send a vulnerability that’s matched by their blacklist, the packet will be dropped before it even hits your servers. WAFs are a great starting point for website security and sometimes come bundled with the added bonus of a CDN to speed up your site. I recommend trying Cloudflare if you’re looking for something quick and affordable to test out. The downside of a WAF is that you’re not actually fixing the issues; they’re simply being hidden from view. A good analogy is wearing a bulletproof vest: more likely than not, you’ll be fine, but if they hit you in a place that wasn’t covered, not so much. Also, if you ever take it off, you’re completely vulnerable.
Next up are reactive scanning solutions. They are the final line of defense against an external attack. They will crawl your site looking for any malware that can be detected. At the point where they’re useful, you have already been hacked. They quickly alert you to any risks so you can patch up any holes that have been found by hackers to mitigate any further loss. Of course, their downfall is that you’ve already been hacked by the time they alert you, and in the ideal situation you’d never have gotten hacked in the first place. However, if a proactive scanner and WAF have both failed, having a reactive malware scanner is a good last check. If you do want to implement an affordable malware scanning solution, I recommend Sucuri.
Lastly, to catch vulnerabilities before you’re attacked, you’ll need to look for a proactive scanning solution (like Tinfoil Security, as a good example). This is my favorite of the three approaches to website security, where you are regularly scanned for a multitude of vulnerabilities and told before you’re attacked where you could be vulnerable. With Tinfoil, you get the added bonus of seeing how to fix each vulnerability we find, with the fixes specifically tailored to your software stack. Of course, no automated or human penetration test can be iron-clad, but upon fixing each vulnerability, you’re removing yourself from the group of easy-to-hit websites. Hackers often look for the “low hanging fruit” first, and the higher up on the tree you are, the less likely you are to be attacked.
From a security perspective, implementing all three of these will provide you with the best line of defense in a recurring fashion. No security solution is ever perfect, so it’s good to bring along the strongest pals to make sure you’re as protected as possible. At Tinfoil Security our goal is to give you the best proactive security scanning service available, and we’re happy to help you make decisions on other complementary services as well.