With the rapid development of technology that is increasingly leading to cloud computing as a whole, we also need to realize that the types of threats are also growing. The mitigation process of all these threats itself can be very complicated and time-consuming, draining a lot of IT resources which will result in hampered productivity in operational activities that should help the company’s main activities. We can see now that with the availability of various existing HTML5/Wordpress services, it is very easy to build an interactive and visually modern web application.
We don’t even need to have our own server for hosting, which is also available for rent from various providers. More sophisticated are the products/instances provided by various cloud providers, where for example we can choose the type of database engine or storage type that is most optimal for current needs with the option for small/large development almost instantaneously. All transactions and module selection can be done online, and a drag-and-drop interface model of content is commonplace. Even with the facilities available, we need to be aware of the risks that can occur. Is it properly protected? It should be realized that if we use other party SaaS applications the entire scope of the backend structure.
Moreover, if our operators do not have good knowledge of cybersecurity and we are completely dependent on the expertise of service providers, this increases the risk of negligence that can lead to data breaches and worse, customer information. The OWAPS annual report https://owasp.org/www-project-top-ten indicates threats that we need to consider mitigating especially when developing a web application, especially for companies that enable interactive/semi-interactive communication with customers. We have seen for ourselves with our data that must be submitted to mandatory applications recently, the e-KTP data leak is very disturbing for us, the application users.
One of the threats that need to be considered from the INJECTION type is SQL Injection. An example of an SQL Injection event is a web application that requires a login using a UserID-Password. Instead of entering a valid combination, the hacker will enter a SQL command that will “force” the application to check the database against entries and at the same time, perform “snooping” and plagiarism of the database. The information obtained is then used for extortion, trading, or hacking which can cause improper changes to web content. FortiWeb specifically mitigates this risk, along with other threats related to web applications. While the firewall in general will protect our internal network, the features of FortiWeb will protect servers that load web applications, including if they are on a cloud network.
FortiWeb provides advanced WAF, Bot Mitigation, and OpenAPI protection. Topologically, FortiWeb can be placed anywhere as long as routing can be connected to the web server and client (public). A little further about the advantages that make its status as advanced WAF is the existence of machine learning related to legitimate requests, which will ease the burden on IT personnel to manually make adjustments / patching every time a new legitimate request enters the system.
FortiWeb also has File Upload protection which scans the data we send to the public to be free from hidden malware. However, due to the large variety of web application implementations, of course, there is no one solution that can completely sweep the world at an optimal price.
Contact us ACS Group for further review to maximize the security of your applications and data.