Traditional Web Application Firewall (WAF) approaches are unable to protect your web and cloud applications from sophisticated attacks. Web Application Isolation (WAI) succeeds where WAFs fail, securing vulnerable apps by isolating them from all web-based attacks.
Application security vulnerabilities are inevitable. Bugs, misconfigurations, and other application vulnerabilities still make their way through to production despite best efforts in the development process.
Organizations have turned to WAFs for help in protecting vulnerable apps from attack in the past. Unfortunately, WAFs are operationally challenged and ineffective at securing apps due to excessive false alerts because of their antiquated technology.
Additionally, WAFs rely on pattern and rule-based engines that do not align with current security needs. They cannot keep pace with the modern threat environment, leaving companies exposed to data loss, downtime, and ransomware attacks. An effective new approach is needed to protect the applications businesses depend on.
Turns Apps Dark
Prevents Data Loss
Scans for Malware
Reduces False Positives
ZTEdge Web Application Isolation (WAI) allows organizations to darken exposed surfaces of their web apps, making them invisible to bad actors and devices that may be compromised, while ensuring that legitimate users have full productive access. Hackers or malware from infected machines that attempt to probe web apps, seeking vulnerabilities to exploit, cannot reach page source code, developer tools or APIs. Instead, they will only see a few lines of ZTEdge Web Application Isolation HTML.
WAI provides multiple layers of defense, without the overwhelming false positive alerts associated with WAFs. Only users authenticated and authorized via the organization’s ZTEdge cloud tenant can access corporate applications. User-app interactions occur within an isolated remote cloud-based container, yet the user experience feels completely normal. Since no application code or data is downloaded to user browsers, vulnerabilities that attackers might exploit are hidden and data loss is prevented.
File uploads and downloads can be scanned for malware using CDR technology and data exfiltration prevented by the solution’s DLP capabilities. Advanced Data Sharing controls are also available.
Web Application Isolation secures websites and apps from critical security risks. Read on and watch the short demos for more about how WAI works.
Dr. Chase Cunningham (aka Dr. Zero Trust) set up a fictional Juice Shop to demonstrate how WAI protects web applications from the most dangerous threats, as ranked in the OWASP Top 10. The Juice Shop app, which he created on the HyperQube test platform, is designed to be super vulnerable – with “as many holes as Swiss cheese.”
Failures in access control allow users to act beyond the permissions that app owners intended to grant.
Web Application Isolation eliminates excessive access by enforcing policy-driven controls based on each user’s group or individual role. To prevent user access to local files, WAI obfuscates app URLs and page source data.
Failures to encrypt app data, both in transit and at rest, can result in exposure of sensitive data such as passwords, credit card numbers and other PII, as well as regulatory risk.
Web Application Isolation airgaps web app data from the internet, so it is never cached on user devices. With pixel-based rendering sensitive app data can be effectively obfuscated.
For corporate apps, injection attacks are a grave concern at login and during the course of app use. WAI removes the need to publish web-based applications on the Internet; Instead access is controlled by authentication, with users only accessing the application using WAI. This reduces application exposure by limiting access to known and trusted users.
This OWASP risk covers designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected credentials and credential storage.
Creating a robust hardening process is tough to do. WAI secures access without additional software development and infrastructure design by isolating web code, adding MFA, and air-gapping web servers from brute force attacks.
The shift to highly configurable apps has also increased the risks of misconfiguration. Common examples include enabling unnecessary features and retaining default accounts and/or passwords.
WAI protects apps before scans discover a vulnerability, until a known vulnerability can be fixed, and in cases when a fix inadvertently creates a new vulnerability, providing air coverage for developers so they can do the job right.
Keeping software, libraries, databases, servers and all components that interact with your apps patched and updated is critical to maintaining a secure environment. But many organizations patch monthly or even quarterly, leaving their apps vulnerable to exploits.
Web Application Isolation secures apps while patches are rolled out, blocking exploits and ensuring secure operation.
Failure to adequately confirm and authenticate user identity or to manage sessions securely exposes apps to automated brute force and credential stuffing attacks.
Multi-factor authentication is a highly effective way to prevent these types of failures. WAI has MFA built into its identity and authentication management. It secures apps by disabling user accounts if brute force attacks are detected.
This OWASP risk relates to code that relies on plugins, libraries or modules from untrusted sources, repositories or CDNs, which might introduce malicious code or enable unauthorized access.
WAI policies can enforce browsers to employ security controls related to access to and transactions with sensitive data by, for example, disabling clipboard copy/paste. It secures data in transit and ensures that data is never stored on endpoints.
Logging and monitoring are essential for detecting, escalating and responding to breaches.
WAI enables access logging for web apps to be standardized based on policy controls, and helps log that information for analysis and reporting.
SSRF flaws occur when web apps fetch a remote resource without validating the user-supplied URL, enabling the app to be coerced to send a request to an unexpected destination.
WAI hides internal servers from the web so they can’t be port scanned. It also obfuscates web app URLs so attackers can’t access local files and internal services by manipulating the app’s URL.