It’s Lights Out: Attacking the Application Layer

25/03/2019 16:00:30
According to BusinessofApps.com, 197 billion mobile apps were downloaded in 2017 with that number projected to jump to 352.9 billion in 2021. Tech Crunch reports that smartphone owners (let’s be honest – everyone) use 9 apps per day and 30 per month. Let’s get a bit more personal. I have 84 applications on my phone. A good friend of mine can use an app to unlock the door to her apartment building from anywhere in the world. I messaged a friend employed at the most powerful tech company in the world (ahem…silicon valley) and he has 295 apps on his phone, several business critical and one in particular to gain access to the most secretive tech campus in the world. In many APAC countries, commuters use apps to get access to public transportation. There’s no getting around it. Apps are important.

If you search for “application-layer attacks,” you’ll find a laundry list of information on the traditional “DDoS” or Denial of Service attacks, but it’s ridiculous to think that this is the only type of attack being carried out against this vast internet realm which can turn off the lights, open the doors and literally give you the keys to the kingdom.

At its most basic level, application-layer attacks target the layer of the internet (layer 7 in the OSI model) which most directly affects the end user. Think of anything having to do with email, file transfer, web surfing and chatting and you’re squarely in the application layer. The Open Web Application Security Project (OWASP) is a free source of information designed to help organizations maintain the security of web applications and APIs by exposing dangers and promoting “trusted” products. Every 3 years OWASP puts together a top 10 list of the most common web application attacks, publishing their most recent version in 2017. This year’s Top 10 are:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

About Sangfor Technologies
Sangfor Technologies takes application layer security really seriously. Sangfor NGAF (Next Generation Firewall) is AI enabled and fully integrated with WAF (Web Application Firewall). On top of that, we recently added in the innovations Neural-X (an AI enabled cloud platform for threat intelligence and analytics) and Engine Zero (AI powered malware detection).  We don’t sacrifice performance for security either. NGAF focuses on detection methods, software architecture, engine performance and computing power. Everything you need to safely email, chat, check your bank accounts, pay your bills or dim your lights.
Founded in 2000 and a publicly traded company as of 2018 (SANGFOR STOCK CODE: 300454 (CH)) Sangfor Technologies is the global leading vendor of IT infrastructure solutions specializing in Cloud Computing and Network Security.

Note: One of the things we love about OWASP is their commitment to internationalization and localization – something Sangfor takes seriously. To check out the OWASP Top 10 for 2013 (2017 translation is still in the works) in Chinese, Italian, Korean and many other languages, just click HERE. Look for future articles where we unpack each of the above application attacks, explain what it is and how to defend against it.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.