Website Security: The Definitive Buyer’s Guide

Website Security: The Definitive Buyer’s Guide Imperva Imperva
41.6k views
Web and Application Security

What is Website Security? Critical Web Security Concerns

Evaluating and Selecting Website Security Tools: The Complete Guide

Website security is the practice of protecting web applications from a broad variety of cyber threats. Here are the most common security concerns faced by security teams tasked with securing websites and web applications:

  • Ensuring High Availability – Many websites and web applications are mission critical services that need to be up 24/7. Downtime can result in breach of SLAs, loss of revenue and damage to reputation.
  • Protecting Data – web applications typically hold sensitive customer and organizational data in back-end databases. If the web application is breached, there is a good chance attackers can compromise this data.
  • Controlling Website traffic – website owners need visibility and control over who is accessing their web presence. It is essential to differentiate good traffic from bad – for example, legitimate bots vs. malicious bots – and block bad traffic.
  • Protecting trust and reputation – the website is the storefront for most businesses. If a website is down, if a homepage is defaced, or if attackers compromise sensitive customer data, this can cause major damage to brand and reputation.
  • Protecting website visitors – online users implicitly trust the websites they visit and the web applications they work with. If attackers are allowed to steal visitor sessions or identities, or compromise their devices, that trust would be irreparably broken.
  • Security automation – the security skills shortage and the high cost of security staff means that most organizations have less security manpower than they need. Automating security tasks is essential to making the most of resources and ensuring web properties are adequately defended.

This is part of an extensive series of guides about application security.

Choosing the Right Website Security Solutions for Your Business.

Which concern do you care about the most? Select the concerns that matter to you, and see a list of security solutions that can help you address them.

DDoS Mitigation

  • Ensuring High Availability
  • Protecting Trust & Reputation
  • Security Automation

Modern DDoS protection services can protect websites against large-scale DDoS attacks, by scaling up a network of cloud-based computers to match the magnitude of the attack. DDoS protection services can perform deep packet inspection of incoming traffic and “scrub” or remove bad requests at large scale, while allowing legitimate requests to go through.

Key Features

  • Support for all attack types – able to protect against both network layer attacks and application layer attacks with broad support for application traffic.
  • HTTP/S traffic – ability to decrypt and scrub SSL traffic.
  • Protection for secondary assets – Such as databases, file servers, and CRM systems.
  • Network Capacity – check how many Gbps or Tbps of traffic are supported by the service; this will roughly equal the scale of DDoS attack it can stop.
  • SLA – services should guarantee an uptime of between three nines (99.9%) and five nines (99.999%), specify type, size and duration of attacks protected, and specify a guaranteed response time.
  • Fast attack mitigation – DDoS attacks can bring down your infrastructure in just a few moments, while recovery can take hours or more. Response time needs to be measured in seconds, not minutes or hours.
  • Always-on protection – ideally, mitigation of DDoS attacks should be completely seamless to end users. Ensure your DDoS service has the bandwidth and configuration to delivery website content with minimal latency.
How important is it for your business?
Slide to choose
  • N/A
  • Low
  • Medium
  • High

APT Protection

  • Protecting Data
  • Protecting Trust & Reputation
  • Protecting Website Visitors
  • Network and Traffic Visibility

Websites and web applications are often the initial target for Advanced Persistent Threats (APT). APT groups actively seek out website vulnerabilities, and if they manage to silently breach a website, they will start lateral movement throughout the network to gain access to more sensitive data and systems.

There is no one tool that can protect against APTs. When selecting a solution for APT protection, consider a combination of tools that can protect against multi-faceted attacks.

Key Features

  • Lateral movement dectection – visibility into attacks that involve multiple organizational systems or users, with lateral movement and gradual privilige escalation.
  • Two-factor authentication – to prevent illicit access to organizational systems.
  • Web application firewall (WAF) – to block suspicious requests to web applications.
  • Protection against backdoor shells – and other vulnerabilities.
  • DDoS protection – DDoS may be used as part of an APT to distract security teams, while attackers user other methods to penetrate the network.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Web Application Firewall

  • Ensuring High Availability
  • Controlling Website Traffic
  • Protecting Trust and Reputation
  • Protecting Website Visitors
  • Network and Traffic Visibility
  • Security Automation

WAFs are the cornerstone of proactive website security. They are a security solution deployed on the network edge, which inspects all incoming traffic and continuously blocks malicious requests. WAFs are versatile, automatically blocking known attack types via built-in rules, and letting you deploy your own security policies for specific security needs.

A major advantage of WAFs is that they can be deployed with no changes to the underlying applications, and can block threats immediately, without requiring you to perform actions like patching vulnerabilities or modifying problematic code.

Unlike a traditional firewall, a WAF can understand application traffic, differentiate legitimate and malicious traffic, and thus detect and block complex attack patterns.

Key features:

  • Traffic filtering—automatically block traffic from suspicious sources, OWASP top 10 and other known attack patterns.
  • Protect against vulnerabilities—detect and block traffic related to known software vulnerabilities without requiring complex fixes, update automatically with live threat intelligence to protect against zero-day threats.
  • Deployment—deploy easily, without requiring any changes to underlying website systems. Compatible with public cloud, hybrid and on-prem environments.
  • Integrations—integrate with the enterprise SIEM, ensuring that WAF alerts can be easily viewed in the context of other security data.
  • Minimizing false positives—enable customization of security rules to adapt to organizational requirements and cause minimal business disruption. Preferably the rate of false positives should be low with base configuration, even without customization.
  • Automatically updated and maintained—maintained and supported by a vendor-side security research team, especially important for zero day threats.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Insider Threat Prevention

  • Protecting Data
  • Protecting Trust and Reputation
  • Security Automation

Insider threats are a major security threat to any IT infrastructure, web applications included. Any employee or third party who holds a privileged or administrative account to your web app can potentially turn against you and use their access to steal data, disrupt operations or allow other attackers into the system.

Insider threats can be harder to identify or prevent than outside attacks, and they are invisible to traditional security solutions like firewalls and intrusion detection systems. An effective insider threat detection system combines several tools to not only monitor insider behavior, but also filter through the large number of alerts and eliminate false positives.

Digital forensics and analytics tools like User and Event Behavior Analytics (UEBA) to help automatically detect, analyze, and alert the security team to any potential insider threats. User behavior analytics can establish a baseline for normal data access activity, while database activity monitoring can help identify policy violations.

Key Features

  • User and Event Behavioral Analytics (UEBA) – helps protect against insider threats, zero day attacks and APT.
  • Database activity monitoring – monitors relational databases, data warehouses, big data and mainframes to generate real-time alerts on policy violations.
  • Data loss prevention (DLP) – inspecting data in motion, at rest, in the cloud or on endpoints.
  • Deception devices – such as decoys and honeypots, and real time monitoring and auditing of data usage.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Bot Management

  • Ensuring High Visibility
  • Securing Automation
  • Controlling Website Traffic

A majority of cyberattacks, and most modern threat vectors, involve the use of automated bots. Thousands of bots hit your web presence every month, some legitimate, others malicious bots who seek vulnerabilities and potentially exploit them. Bots can also be used to gain access to organizational data in other ways, such as web scraping.

Bot protection solutions can identify and block bad bots, while allowing good bots to access your site.

Key Features

  • Behavior profiles – profiling behavior of traffic over time to identify human users, good and bad bots.
  • Reputation analysis – maintaining a database of bot signatures and identifying if current traffic matches known bad bots.
  • Challenges – HTTP/S headers, IP and ASN signatures, cookie and JavaScript challenges, to determine whether bots hitting your site are legitimate or malicious.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Access Management and IP Blocking

  • Ensuring High Availability
  • Controlling Website Traffic
  • Securing Automation
  • Protecting Trust and Reputation

There are several approaches and tools to achieve secure access management. If you don’t have a full Identity and Access Management (IAM) system, your security solution should provide an automated way to enforce multi-factor authentication, help you filter out bad traffic from known malicious IPs or other bad sources, while allowing you to define custom policies to block or let in traffic selectively.

Key Features

  • Multi-factor authentication – advanced security solutions can help you enforce multi-factor authentication whenever anyone logs into your web application, without requiring changes to the underlying application.
  • Reputation management – can filter out traffic based on detection of sources like anonymous proxies, TOR network or suspicious geographies.
  • IP blacklisting – identifies known bad traffic sources and uses them to block bad requests, and reputation management.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Account Takeover Protection

  • Ensuring High Availability
  • Protecting Data
  • Protecting Trust and Reputation

Because of the severity of insider threats and the difficulty of identifying and blocking an insider attack, a preventive measure is preventing account takeover. Account takeover solutions use an intent-based detection process to identify malicious logins, using behavioral analysis and global threat intelligence data.

Key Features

  • Intent-based detection – identifies malicious logins through cross-verification of reputational and behavioural, client classification and more.
  • Visibility over login activity – allows you to view login activity across the enterprise, see if sites are under attack, identify which user accounts were hacked and what was done with the credentials.
  • Threat intelligence – advanced solutions use a global database of attack patterns, matching it to login patterns in your environment using machine learning.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

API Security

  • Ensuring High Availability
  • Protecting Data
  • Protecting Trust and Reputation

Many web applications expose an API, allowing others in the digital economy to leverage the web application in an automated manner. APIs are increasingly important, and growing more complex, but are usually not properly defended or monitored. Many APIs were not built with sound security practices, and may allow users to provide malicious input or otherwise misuse the API.

API security protects API endpoints, by monitoring API requests and ensuring only validated good traffic can access the endpoint.

API endpoints should be protected as soon as they are published, and security should be part of your development process. Advanced solutions allow you to create security definitions using the OpenAPI standard, so you can build security into your API as you’re developing it, and publish it with security settings automatically applied.

Key Features

  • Block unwanted traffic – intercept and block traffic from known bad IPs, suspicious geographies, anonymous proxies, TOR network, etc.
  • Attack analytics – advanced solutions can detect and block known attack patterns using a Web Application Firewall (WAF).
  • Layer 3/4 DDoS protection – protects your APIs against DDoS, whether performed at the network level (e.g. Syn flood) or at the application level.
  • API gateway integration – API security solutions should integrate with common API gateways such as Azure, AWS or RedHat.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Security Customization

  • Protect Data
  • Controlling Website Traffic
  • Protecting Trust and Reputation
  • Security Automation

Website security solutions are often deployed at the network edge and make decisions about traffic entering your website. Customization is essential to ensure the security solution does not break your business – if a solution blocks legitimate traffic, it can create the same damage as the attacks it was intended to prevent.

Ensure that the security solution doesn’t break your business – define custom rules to control automated response, respond to specific attacks, enable specific use cases.

Key Features

  • Custom rules to define different automated response to different scenarios
  • Security policies for different types of traffic
  • Granular access control policies
  • Whitelisting and blacklisting
  • High degree of visibility into security decision processes – what is blocked and why
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Vendor-Side Security Research Team

  • Protect Data
  • Controlling Website Traffic
  • Protecting Trust and Reputation
  • Security Automation

Leading security vendors have had experience protecting thousands or organizations and have defended against millions of attacks. Look for a solution that gives you access to the vendor’s security team, and gives you an outsourced helping hand for defining policies and security configuration, and dealing with day-to-day security incidents.

The primary benefit of having a security research team on hand is zero-day threat protection. Organizations operating with only their own intelligence have very low chances of defending against zero-day threats. Weeks or months may pass until the threat is publicized, patches are released and they are actually deployed on local IT systems.

With a vendor-side security research team, as soon as the zero-day threat goes public, or as soon as one organization is hit by the threat, the attack pattern is propagated to all users of the security tool. All of them can be defended instantly by deploying new security configuration that blocks the threat.

Key Features

  • Human assistance with configuring security settings or policies
  • Vendor-based security analysts help analyze alerts and remove false positives
  • Vendor-offered incident response teams
  • Vendor assistance with major security incidents
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Event Logging, Prioritization and Anomaly Detection

  • Protect Data
  • Controlling Website Traffic
  • Protecting Trust and Reputation
  • Security Automation

Most organizations face a chronic shortage of security staff, and an explosion of security-related alerts from multiple tools. User and Entity Behavioral Analytics (UEBA) can be an important tool in prioritizing alerts, and ensure human security teams only review alerts that really represent malicious activity.

UEBA technology establishes a behavioral baseline for user accounts, endpoints and entities on the network such as switches, routers and applications. An alert is generated only when activity deviates from that baseline, and does so by more than an acceptable threshold.

Key features:

  • Behavioral analytics—identify real malicious activity using UEBA to reduce false positives.
  • Threat intelligence—match traffic patterns to known attack signatures to identify attacks and provide context about threat actors.
  • Log analysis—correlate and analyze logs from multiple IT systems and security tools
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Real Time Traffic Visibility

  • Ensuring High Availability
  • Controlling Website Traffic
  • Security Automation

To manage security for a website, you need maximum visibility over the traffic accessing your website. Real time visibility into threats or malicious activity into your traffic will enable a real time response.

Advanced web security solutions can help you visualize not only types of traffic, sources, protocols, bandwidth and packet rates. But beyond that, they should aggregate this data to show you legitimate vs. malicious traffic. You should be able to identify the type of attack each session belongs to.

In addition, you should have access to historical and forensic data, to get full context on a current attack, and for threat hunting purposes.

Key Features

  • Real time traffic data – traffic volumes, sources, bandwidth, packet rates, etc.
  • Historical data – view traffic data from weeks or months back to understand historical trends for current threats.
  • Security events – view which attacks hit your site, right now or historically, and which sessions belong to which attack type.
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Runtime Application Self-Protection (RASP)

  • Ensuring High Availability
  • Protect Data
  • Protecting Trust and Reputation
  • Security Automation

Exploits and vulnerabilities are discovered every day. To be proactive and prevent vulnerabilities, you should implement a solution that helps developers as they start building an application. Real Time Application Self-Protection (RASP) intercepts code as it is pushed to source control and alerts against known and zero-day attacks. This can prevent vulnerable code before it is ever pushed to production.

RASP can provide protection by default for OWASP Top 10, known and zero day attacks, and can also protect legacy and third-party apps packaged with your software.

Key Features

  • Scans code and identifies vulnerable code or components
  • Identifies malicious payloads during the build process
  • Prevents vulnerabilities and exploits from being pushed to production
How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

SIEM Integration

  • Security Automation

Without SIEM integration, any website security solution will be useless to your SOC team. Nobody wants to add “one more screen” to look at.

If your team uses Security Information and Event Management (SIEM), ensure your website security tooling integrates with it. This will let you use data and alerts from your security solutions to raise SIEM alerts, and conduct security analysis and investigations.

How important is it for your business?
  • N/A
  • Low
  • Medium
  • High

Non-Functional Requirements

  • Flexible deployment—ensure all components of the security solution deploy rapidly with no changes to underlying systems. This saves time, prevents complex implementation projects, and lets you apply security evenly to new and legacy systems.
  • SLA—ensure the solution provider commits to an SLA for response to attacks, and that this SLA is acceptable in terms of your Recovery Time Objective (RTO).
  • Pricing—invest what is needed to get complete coverage of all important threat vectors. Security has high value and can significantly reduce the risk of a catastrophic breach. Keep in mind every breach costs organizations an average of $8 million.
  • Compliance—ensure your solution supports all the regulations and industry standards you need to comply with: HIPAA, PCI/DSS, SOX, GDPR, FERPA, etc.

Prefer a Specialist Website Security Solution

Website security is a discipline that has greatly evolved over the past two decades, with specialist solutions like DDoS mitigation technology, WAF, bot protection and API security. Even generic security practices like event logging and behavioral profiling need to be adapted to be effective for the analysis of web traffic and web application threats.

When selecting a vendor, try to evaluate if your provider of choice offers website security as part of a huge bundle of services, or treats application security as a core part of their business. We advise preferring vendors who have deep experience and specialized technology especially suites to the challenges of application security.

Imperva Website Security

Imperva provides a complete solution for website security, providing all the tools you need to secure a critical website or web application. We maintain an internal security research team that analyzes data from thousands of organizations and helps you defend against the latest threats.

Imperva is a highly customizable security solution that lets you add rules or exceptions to match your business workflows and prevent disruption to users. It comes with advanced access control functionality, including multi-factor authentication, which you can implement easily with no change to existing applications, and granular role-based access control (RBAC) for IT systems.

The Imperva application security solution includes:

DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.

WAF—cloud-based solution permits legitimate traffic and prevents bad traffic, safeguarding applications at the edge, while a gateway WAF keeps applications and APIs inside your network safe. The WAF also facilitates easy deployment across the organization of access control measures, such as multi-factor authentication.

Bot Management—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic. Reputation management also allows you to filter out unwanted traffic based on sources, geographies, patterns, or IP blacklists.

Account Takeover Protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes. This can help mitigate insider threats and protect against privilege escalation and lateral movement.

API Security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.

Attack Analytics—mitigate and respond to real security threats efficiently and accurately with actionable intelligence across all your layers of defense. Leverages machine learning and data risk analytics to distill millions of alerts, identify suspicious data access and prioritize threats.

RASP—keep your applications safe from within against known and zero‑day attacks. Fast and accurate protection with no signature or learning mode.

CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.

See Additional Guides on Key Application Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of application security.

API Security

Authored by Bright Security

Vulnerability Management

Authored by Bright Security

Cyber Attack

Authored by Imperva