Most traditional Web Application Firewall (WAF) approaches are unable to protect your web and cloud applications from sophisticated attacks. Web Application Isolation (WAI) takes a fundamentally different approach, securing vulnerable apps by isolating them from all web-based attacks.
Application security vulnerabilities are inevitable. Despite best efforts in the development process, bugs, and misconfigurations, these vulnerabilities still make their way through to production applications.
Organizations have traditionally turned to WAFs to help them address this situation. Unfortunately, the antiquated technology most WAFs are based on has made them ineffective from a security standpoint, and operationally challenging from an alert-fatigue perspective.
Simply put, the pattern and rule-based engines many WAFs rely on are not aligned with current security needs. They cannot keep up with the modern threat environment and have exposed companies to data loss, downtime, and ransomware attacks. This outdated mode of attempting to protect applications is no longer working, requiring a new approach.
Turn Apps Dark to Attackers
Data Loss Prevention
Reduce False Positives
ZTEdge Web Application Isolation (WAI) allows organizations to darken their applications, making the previously exposed surfaces of web apps invisible to potentially compromised devices and bad actors, while ensuring legitimate users have full productive access. Hackers or infected machines that attempt to probe web apps, seeking vulnerabilities to exploit, cannot see page source code, developer tools or APIs. Instead, they will only see a few lines of ZTEdge Web Application Isolation HTML.
WAI provides multiple layers of defense. Only authenticated and authorized users coming from the organization’s ZTEdge cloud tenant gain application access through an isolated remote cloud container with no change in the user experience. Behind the scenes no application code or data is downloaded to the user’s laptop browser effectively “hiding” any vulnerabilities attackers may exploit and risk of data lost. An innovative approach, WAI eliminates the False Positive issues that plague traditional WAF systems.
File uploads and downloads can be scanned for malware using CDR technology as well as data exfiltration using the solution’s DLP capabilities. Advanced Data Sharing controls are also available.
Web Application Isolation secures websites and apps from critical security risks. Read more about how WAI protects organizations from the top threat vectors and watch the demo videos to learn more about how the solution works.
Dr. Chase Cunningham (aka Dr. Zero Trust) set up a fictional Juice Shop to demonstrate how WAI protects web applications from the most dangerous threats, as ranked in the OWASP Top 10. The Juice Shop app, which he created on the HyperQube test platform, is designed to be super vulnerable – with “as many holes as Swiss cheese.”
Failures in access control allow users to act beyond the permissions that app owners intended to grant.
Web Application Isolation eliminates excessive access by enforcing policy-driven controls based on each user’s group or individual role. To prevent user access to local files, WAI obfuscates app URLs and page source data.
Failures to encrypt data app data, both in transit and at rest, can result in exposure of sensitive data such as passwords, credit card numbers and other PII as well as regulatory risk.
Web Application Isolation airgaps data stored and processed by web apps from the internet, so it is never cached on user devices. With pixel-based rendering sensitive app data can be effectively obfuscated.
Injection attacks typically involve hostile user-supplied data that is not validated, filtered or sanitized. Common injections include SQL, NoSQL, Object Relational Mapping (ORM) and LDAP.
Web Application Isolation leverages IAM to protect against common SQL injection at login. In Pixel mode, it eliminates FORM and fields at the client to prevent injection to fields.
This OWASP risk covers designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected credentials and credential storage.
Creating a robust hardening process is tough to do. WAI secures access without additional software development and infrastructure design by isolating web code, adding MFA, and air-gapping web servers from brute force attacks.
The shift to highly configurable apps has also increased the risks of misconfiguration. Common examples include enabling unnecessary features and retaining default accounts and/or passwords.
WAI protects apps before scans find a vulnerability, until that vulnerability can be fixed, and when a fix inadvertently creates a new vulnerability, providing air coverage for developers so they can do the job right.
Keeping software, libraries, databases, servers and all components that interact with your apps patched and updated is critical to maintaining a secure environment. But many organizations patch monthly or even quarterly, leaving their apps vulnerable to exploits.
Web Application Isolation secures apps while patches are rolled out, blocking exploitation and ensuring secure operation.
Failure to adequately confirm and authenticate user identity or to manage sessions securely exposes apps to automated brute force and credential stuffing attacks.
Multi-factor authentication is a highly effective way to prevent these types of failures. WAI has MFA built into its identity and authentication management. It secures apps by disabling user accounts if brute force attacks are detected.
This OWASP risk relates to code that relies on plugins, libraries or modules from untrusted sources, repositories or CDNs, which might introduce malicious code or enable unauthorized access.
WAI policies can enforce browsers to employ security controls related to access to and transactions with sensitive data by, for example, disabling clipboard copy/paste. It secures data in transit and ensures that data is never stored on endpoints.
Logging and monitoring are essential for detecting, escalating and responding to breaches.
WAI enables access logging for web apps to be standardized based on policy controls, and helps log that information for analysis and reporting.
SSRF flaws occur when web apps fetch a remote resource without validating the user-supplied URL, enabling the app to be coerced to send a request to an unexpected destination.
WAI hides internal servers from the web so they can’t be port scanned. It also obfuscates web app URLs so attackers can’t access local files and internal services by manipulating the app’s URL.