Justin Boyer
The development of microservice architecture and web APIs have fundamentally changed how companies approach application security. Complex business logic and interdependent services create new opportunities for attackers to infiltrate and steal information.
Rule-based and signature-based security technologies have been used for a long time to protect web applications, but attackers are finding their way through those defenses.
Let’s review how signatures and rules have fallen short and what is needed to replace them.
What is Signature-Based Security?
A signature is a unique mark made by a person on a paper, such as a contract. You can use it later to verify the identity of the person who signed the document.
In digital security, signatures uniquely identify a program or mode of operation. For example, an antivirus company will create a signature of a computer virus, allowing it to raise alarms when that signature pops up during an attack. In this case, signatures are made by hashing the virus executable to create a unique string that identifies the program.
Specific types of attacks also have signatures. Web Application Firewalls (WAFs) and Next-Gen WAFs use signatures to identify attacks such as cross-site scripting or SQL injection. The WAF scans all requests coming into a web application and blocks requests with the “signature” of an attack—for instance, entering semicolons or slashes into an input form, indicating SQL injection or a directory traversal attack.
Why Signature-Based Only Solutions Don’t Work for Web API Security
There are several glaring problems with solutions that rely only on signatures for security.
Don’t prevent unknown attacks
Signatures are based on analysis of prior attacks. This leads to security teams playing a game of constant catch-up. An attack happens. It’s analyzed, and a signature is created.
But when a new attack happens that doesn’t match the signature, automated tools won’t stop it because they don’t know what to look for. The attack is analyzed, and a signature is created.
Rinse and repeat.
Rules create a perimeter mindset
Rules-based security is typically used with perimeter-based tools such as firewalls and WAFs, leading to a “moat around the castle” mentality.
The problem: Protecting the edge and assuming every request coming from within the network is safe, is only a partial defense and ignores the sophistication of modern attackers who have various ways to commandeer resources inside the defense wall.
Companies often perform background checks before hiring a new employee, but that doesn’t mean you ignore what those employees do once they start working. Similarly, making sure traffic is checked on the way in doesn’t mean you should ignore requests coming from inside the network.
Business logic attacks don’t have signatures
Static rules and signatures can’t prevent business logic attacks. They often are designed to look like regular traffic and take advantage of the code to steal data.
Broken Object Level Authorization (BOLA), number one on the OWASP API Top 10 list, is an example of a business logic attack. This attack occurs when a bad actor posing as a user changes the ID of a resource to gain access to prohibited areas.
Signature-based only security solutions won’t discover this attack because the traffic looks legitimate. It’s a request for a resource that has the resource ID with it. However, the security tool misses the context that the currently logged-in user shouldn’t be allowed to see what they’re requesting.
A Better Way of Protecting Applications Is Needed
As microservice and API-based applications become more common, new security solutions are required to protect them. We need to move away from rule-based and signature-based only security tools and move toward tracing and AI that understands in real-time the application it protects.
We’ve released a new whitepaper, “The Evolution of Application Security (And Where We Go Next)”. Check it out to learn how Traceable AI moves the industry beyond signature-based application security.
About the Author
Justin Boyer is a former software engineer and application security specialist turned technology writer and a regular contributor to The Inside Trace.
