アプリケーションのセキュリティを第一に考える

アプリケーションは、ビジネスにとって重要であり、攻撃者にとって価値のある企業データと顧客データの両方の入り口でもあります。攻撃者は、あらゆる手段を駆使してアプリケーションを攻撃します。アプリケーション自体を保護することが重要なのはそのためです。

アプリケーション中心のセキュリティ

適切なソリューションを整備してリスクを軽減できるように、アプリケーションの脆弱性の原因、および可能性のある攻撃経路を理解してください。現在の高度な脅威に対抗し、ビジネスを進め続けるために必要なアプリケーション セキュリティを利用してください。

WebアプリケーションおよびAPIの保護

WebアプリケーションおよびAPIの保護

アプリケーション インフラストラクチャの保護

アプリケーション インフラストラクチャの保護

Attack Types

Explore the app components to understand each tier and the its associated threats.

APP

Explore the app components to understand each tier and the its associated threats.

SERVICES TIER

Web servers, content delivery networks, and app or database servers are the base for web application services. Also part of this tier are frameworks, libraries, and plugins, and internal code that provides an app's core functionality. Attackers frequently scan for unpatched components within this tier, making it the focus of common attacks, such as injection or business logic flaws.

POSSIBLE THREATS

ACCESS TIER

Access is the gateway to the data that an app processes or stores. This tier provides web, mobile, and API clients the ability to authenticate and get authorization to access an application, so it needs to be secure and efficient. An analysis of breach records shows that 33 percent of web app breaches are access related, with phishing, brute force, and credential stuffing attacks leading the way.

1 F5 Labs: Lessons Learned from a Decade of Data Breaches

POSSIBLE THREATS

TLS/SSL TIER

The transport layer security tier includes HTTPS, TLS, and even the outdated SSL protocol. It provides confidentiality for clients and apps communicating over untrusted networks, ensuring attackers can't tamper with data in transit. Flawed libraries or implementations can lead to vulnerabilities like Heartbleed or denial-of-service attacks. TLS is also used to hide payloads that target other tiers of the app.

POSSIBLE THREATS

DNS TIER

The "address book" of the Internet, DNS translates domain names into IP addresses so browsers can load Internet resources. This tier includes all DNS servers needed by the client and the app, as well as the relevant registrars of those apps' domains. App availability can be disrupted if its DNS suffers a DDoS attack. Alternatively, DNS can be targeted in a hijacking attempt that can compromise an app's confidentiality or integrity.

POSSIBLE THREATS

NETWORK TIER

Clients and apps need a network to connect. Many applications exist on or communicate over the biggest network—the Internet. An app also typically resides on an internal network, allowing app admins to connect and make changes. The network tier is a target of multiple types of DDoS attacks. Compromised internal networks can lead to unauthorized disclosure, alteration, or destruction of data.

POSSIBLE THREATS

DDOS ATTACKS

The purpose of a DDoS attack is to make an application unavailable. DDoS attacks typically originate from an "army" of hacker-controlled bots. All tiers of an app have a capacity limit or are designed in a way that's vulnerable to DDoS attacks. Volumetric attacks target the network tier, overwhelming bandwidth. Others target server or infrastructure resources such as CPU, memory, or state tables.

DDoS Solutions

Use Cases

WEB APPLICATION ATTACKS

Web app attacks target the data held by apps through layer 7 by attempting to steal a user's credentials via a man-in-the-middle attack or exploiting vulnerabilities in servers, frameworks, libraries or even business logic flaws within custom code. Also included are access-control attacks, like credential stuffing, brute force attacks, and credential theft via malware or phishing.

Web App Security Solutions

Use Cases

APP INFRASTRUCTURE ATTACKS

Application infrastructure refers to the systems that applications depend on that are external to the app itself. Attacks against application infrastructure target TLS, DNS, and the network tiers. These attacks can include compromising a vulnerable implementation of TLS/SSL, spoofing DNS to divert user traffic, a man-in-the-middle attack on a network, or a DDoS attack on any of these tiers.

App Infrastructure Solutions

Use Cases

ACCESS ATTACKS AND BUSINESS CHALLENGES

Attacks on access often consist of botnets attempting to brute force user accounts, test stolen passwords, or look for web apps with weak access controls. While preventing successful attacks is paramount, understanding how users access your apps can help you balance “least privilege” without compromising user productivity.

Access Solutions

Use Cases

ATTACK TYPES

HOW APPS ARE ATTACKED

What are apps and how are they attacked?

Applications are made up of many independent components, running in separate environments with different requirements and a supporting infrastructure that's glued together over networks. Each component, or tier, can be a target. To evaluate defenses, you need to understand the attack surface of each tier.

  • Services
  • Access
  • TLS
  • DNS
  • Network

What are apps and how are they attacked?

Applications are made up of many independent components, running in separate environments with different requirements and a supporting infrastructure that's glued together over networks. Each component, or tier, can be a target. To evaluate defenses, you need to understand the attack surface of each tier.

SERVICES TIER
services off

Web servers, content delivery networks, and app or database servers are the base for web application services. Also part of this tier are frameworks, libraries, and plugins, and internal code that provides an app's core functionality. Attackers frequently scan for unpatched components within this tier, making it the focus of common attacks, such as injection or business logic flaws.

POSSIBLE THREATS

ACCESS TIER
services off

Access is the gateway to the data that an app processes or stores. This tier provides web, mobile, and API clients the ability to authenticate and get authorization to access an application, so it needs to be secure and efficient.

An analysis of breach records shows that 33 percent of web app breaches are access related, with phishing, brute force, and credential stuffing attacks leading the way.

1 F5 Labs: Lessons Learned from a Decade of Data Breaches

POSSIBLE THREATS

TLS/SSL TIER
tlsOff

The transport layer security tier includes HTTPS, TLS, and even the outdated SSL protocol. It provides confidentiality for clients and apps communicating over untrusted networks, ensuring attackers can't tamper with data in transit.

Flawed libraries or implementations can lead to vulnerabilities like Heartbleed or denial-of-service attacks. TLS is also used to hide payloads that target other tiers of the app.

POSSIBLE THREATS

DNS TIER
dnsOff

The "address book" of the Internet, DNS translates domain names into IP addresses so browsers can load Internet resources. This tier includes all DNS servers needed by the client and the app, as well as the relevant registrars of those apps' domains.

App availability can be disrupted if its DNS suffers a DDoS attack. Alternatively, DNS can be targeted in a hijacking attempt that can compromise an app's confidentiality or integrity.

POSSIBLE THREATS

NETWORK TIER
networkOff

Clients and apps need a network to connect. Many applications exist on or communicate over the biggest network—the Internet. An app also typically resides on an internal network, allowing app admins to connect and make changes.

The network tier is a target of multiple types of DDoS attacks. Compromised internal networks can lead to unauthorized disclosure, alteration, or destruction of data.

POSSIBLE THREATS

ATTACK TYPES

HOW APPS ARE ATTACKED

Attack Types

Explore the app components to understand each tier and the its associated threats.

DDOS
services access dns network

The purpose of a DDoS attack is to make an application unavailable. DDoS attacks typically originate from an "army" of hacker-controlled bots.

All tiers of an app have a capacity limit or are designed in a way that's vulnerable to DDoS attacks. Volumetric attacks target the network tier, overwhelming bandwidth. Others target server or infrastructure resources such as CPU, memory, or state tables.

DDoS Solutions

Use Cases

WEB APPLICATION
services access

Web app attacks target the data held by apps through layer 7 by attempting to steal a user's credentials via a man-in-the-middle attack or exploiting vulnerabilities in servers, frameworks, libraries or even business logic flaws within custom code.

Also included are access-control attacks, like credential stuffing, brute force attacks, and credential theft via malware or phishing.

Web App Security Solutions

Use Cases

APP INFRASTRUCTURE
tls dns network

Application infrastructure refers to the systems that applications depend on that are external to the app itself. Attacks against application infrastructure target TLS, DNS, and the network tiers. These attacks can include compromising a vulnerable implementation of TLS/SSL, spoofing DNS to divert user traffic, a man-in-the-middle attack on a network, or a DDoS attack on any of these tiers.

App Infrastructure Solutions

Use Cases

ACCESS
tls dns network

Attacks on access often consist of botnets attempting to brute force user accounts, test stolen passwords, or look for web apps with weak access controls. While preventing successful attacks is paramount, understanding how users access your apps can help you balance “least privilege” without compromising user productivity.

一般的な組織は765のアプリケーションを使用していて、そのすべてが攻撃対象です。アプリケーションを適切に保護していますか?

レポートを読む

 

アプリケーション スタック全体を対象としたF5のアプリケーション保護

アプリケーション スタック全体を対象としたF5のアプリケーション保護

関連資料

IoTの追跡

Thingbotの成長と進化が引き起こすカオス

10年の情報漏洩

ブリーチの86%はアプリケーションとアイデンティティが標的です。

クラウド

クラウド フレンドリなセキュリティ

ビジネスを安全に保つサポート

お客様のセーフティネットになります

セキュリティ問題が発生したら、F5のSecurity Incident Response Team(F5 SIRT)にお任せください。

投資効果を最大化

F5 Professional Servicesは、ソリューションの設計、カスタマイズおよび実装をサポートします。

24x7体制でサポート

F5のSOC専門家は、企業に被害を与えるセキュリティ脅威からお客様を守ります。