In the next three years, software as a service ‘SaaS’ is likely to grow by around 23%. That’s according to reports by Cognizance. It’s growth rests on the adoption of cloud public, private and hybrid.

Without the cloud applications can’t truly pervade an organisation, nor can operational or customer benefits be derived. But there’s no point in adopting the cloud if it’s not secure - the proliferation of SaaS demands security, none more so in a GDPR world.

Large cloud environment

But modern applications are difficult to secure. SaaS based, web, mobile, or custom made all work on different platforms and frameworks. It’s a headache managing all the APIs needed to automate and sync tools. This introduces risk. The greater the number of apps the broader the attack surface and therefore the greater the chance there will be blind posts.

Keeping up to date with updates and new security policies is never easy

There are also added hazards. Applications are always changing. Keeping up to date with updates and new security policies is never easy, but especially hard in a large cloud environment. Failure to adopt changes puts the organisation and customers at further risk. But the biggest obstacle is keeping applications and APIs out of harm’s way. It’s a near on impossible task when attack methods and sources are constantly changing.

More advanced threats

To be specific there are four emerging challenges when it comes to protecting apps. Firstly, managing the good and the bad bots and spotting which is which, secondly securing APIs as IoT adoption intensifies, thirdly the relationship between securing apps and DevOps and ensuring ownership of security, and finally denial of service attacks that use newer tactics such as brute force.

Basic security hygiene dictates that security teams refer to the OWASP Top 10. It’s considered the ‘ten commandments’ in security circles, providing a starting point for ensuring the most common threats and vulnerabilities are managed, detected and mitigated. Web Application Firewalls also come into the fray with guidance on testing for the ways hackers exploit vulnerabilities. However, though the basics are good to have in place, there are always more advanced threats to take care of. Bots being a big one.

Bot management

The more sophisticated bots will go as far as to mimic human behaviourAstonishingly about half of internet traffic is bot generated. Half of it is from bad bots. Discerning the good from the bad isn’t easy though and explains why around 80% of organisations can’t make a clear distinction between the two.

Bad bots can do a lot of damage like take over user accounts and payment information, scrape confidential data, or hold up inventory and skew marketing metrics. The more sophisticated bots will go as far as to mimic human behaviour and bypass tools like CAPTCHA and even device fingerprinting based protection ineffective.

Securing APIs

Then there’s the complications derived from machine-to-machine and internet of things (IoT) communications. The more integrated ‘things’, the more data there is, the more events there are report on, and the more activity there is reliant on APIs to make the ‘things’ useful and agile.

That’s what makes them a target and the threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks.

 

Astonishingly about half of internet traffic is bot generated
There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks

Denial of service (DoS)

You might think there’s little to add to the swathes of denial of service warnings. Yet when businesses are still being targeted and feeling the ill effects it’s worth mentioning again that different forms of application-layer DoS attacks are still very effective at bringing application services down.

Even the greatest application protection is worthless if the service itself can be knocked down

This includes HTTP/S floods, low and slow attacks (famous examples being Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. The IoT botnets are the culprits and have made application-layer attacks so popular that they have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down.

Continuous security

It may seem easy to say but for modern DevOps, agility is valued at the expense of security. We see time and again examples of where development and roll-out methodologies, such as continuous delivery, mean applications are exposed to threats each time they are modified.

There’s no doubt it is extremely difficult to maintain a valid security policy and protect sensitive data in dynamic conditions without creating a high number of false positives. But we now find that this task has gone way beyond the capability of humans. Organisations now need machine-learning based solutions that map application resources, analyse possible threats, and create and optimise security policies in real time. Reaching this level in security planning should be a big wake-up call that security automation is an essential not a nice to have.

Running security plans

The board needs to know that investment is critical to protect their profits

It’s critical that the security solution your company adopts protects applications on all platforms, against all attacks, through all the channels and at all times. The board needs to know that investment is critical to protect their profits. As such there are six things they need to know:

  • Application security solutions must encompass web and mobile apps, as well as APIs.
  • Bot management solutions need to overcome the most sophisticated bot attacks.
  • DDoS mitigation must be an essential and integrated part of application security solutions.
  • A future-proof solution must protect containerised applications, severless functions, and integrate with automation, provisioning and orchestration tools.
  • To keep up with continuous application delivery, security protections must adapt in real time.
  • A fully managed service should be considered to remove complexity and minimise resources. No amount of human power will beat the bots.

That last point is the most critical. Skill is essential in designing and running security plans and policies that work. But the plans can’t be executed without automated tools. There are just too many decisions to make in a split second. Combining both is the path to an effective app protection strategy and a stronger brand to boot.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Jeff Curley Sales Manager, Online Digital, Radware

In case you missed it

Which technologies will disrupt the security industry in the second half of 2020?
Which technologies will disrupt the security industry in the second half of 2020?

The first half of 2020 has been full of surprises, to say the least, and many of them directly impacted the physical security market. The COVID-19 pandemic created endless new challenges, and the physical security market has done our part to meet those challenges by adapting technology solutions such as thermal cameras and access control systems. In the second half of 2020, we can all hope for a return to normalcy, even if it is a “new normal.” In any case, technology will continue to play a big role. We asked this week’s Expert Panel Roundtable: Which technologies have the greatest potential to disrupt the security industry in the second half of 2020?

What do you need to know about thermal imaging cameras?
What do you need to know about thermal imaging cameras?

As businesses, schools, hospitals and sporting venues look to safely reopen in a COVID-19 world, thermal imaging systems will play a critical role in helping to detect and distinguish skin temperature variations in people. Thermal surveillance, a mainstay of traditional physical security and outdoor perimeter detection, is now being deployed to quickly scan employees, contractors and visitors as part of a first line of defense to detect COVID-19 symptoms. In the coming weeks and months, the security industry will look to implement thermal camera solutions for customers, yet many questions remain as to the differences between different system types and how to properly install thermal imaging cameras. In this Q&A, Jason Ouellette, Head of Technology Business Development for Johnson Controls, answers several of these questions. Q: What are some of the different thermal imaging solutions available in the market to detect an elevated temperature in a person? For the general market, there are three types of these thermographic screenings. There is the handheld device, which is typically lower cost, very portable, and very easy to use. Typically, this is a point and shoot type of device, but it requires you to be three feet or less from the person that you're screening, which, in today's world, means the user needs to wear protective personal equipment. For the general market, there are three types of these thermographic screenings The second type of solution would best be described as a thermal camera and kiosk. The advantage of this system over a handheld device is this can be self-service. An individual would go up to and engage with the kiosk on their own. But many of these kiosk type solutions have some integration capability, so they can provide some type of output, for either turnstiles, or physical access control, but not video management systems (VMS). Some of the downside of this type of system is that it’s less accurate than a thermographic solution because it does not have a blackbody temperature calibration device and the readings are influenced by the surrounding ambient temperature, called thermal drift. So instead of being able to achieve a ±0.3ºC accuracy rating, this system probably provides closer to ±0.5ºC at best. Some of these devices may be classed as a clinical thermometer with a higher degree of one time accuracy, but do not offer the speed and endurance of the thermographic solution for adjunctive use. And then there are thermal imaging camera systems with a blackbody temperature calibration device. These types of systems include a dual sensor camera, that has a visual sensor and a thermal sensor built right into the camera, along with a separate blackbody device. This provides the highest degree of ongoing accuracy, because of the blackbody and its ability to provide continuous calibration. These systems can provide much more flexibility and can offer integrations with multiple VMS platforms and access control devices. Q: When installing a thermal imaging camera system what is the most important element to consider? Camera placement is critical to ensure the system works as expected, however the placement of the blackbody device which verifies the correct calibration is in place is equally as important. If the customer wants to follow FDA medical device recommendations for camera placement, both the height of the camera and the blackbody as well as the distance between these devices should comply with the product installation instructions. This takes into account the device focal range and calibration parameters in addressing the distance from the person undergoing the scan. Also, integrators should minimise camera detection angles to ensure optimal accuracy and install cameras parallel with the face as much as possible, and again in compliance with installation instructions. Integrators should minimise camera detection angles to ensure optimal accuracy The blackbody should be placed outside of the area where people could block the device and located more towards the edges of the field-of-view of the camera. You need to keep in mind the minimum resolution for effective thermographic readings which is 320 by 240 pixels as defined by the standards. To achieve this, you would need to follow medical electrical equipment performance standards driven by IEC 80601-2-59:2017 for human temperature scanning and FDA guidelines. Within that measurement, the face needs to fill 240 x 180 pixels of the thermal sensor resolution, which is close to or just over 50 percent of the sensor’s viewing area typically, meaning a single person scanned at a time in compliance with the standards for accuracy.  Along with height and distance placement considerations, the actual placement in terms of the location of the system is key. For example, an expansive glass entryway may impact accuracy due to sunlight exposure. Installations should be focused on ensuring that they are away from airflow, heating and cooling sources, located approximately 16 feet from entry ways and in as consistent of an ambient temperature as possible between 50°F and 95°F. Q: Once a thermal imaging camera system is installed, how do you monitor the device? There are several choices for system monitoring, depending on whether the solution is used as standalone or integrated with other technologies, such as intrusion detection, access control or video systems. For standalone systems, the ability to receive system alerts is typically configured through the camera’s webpage interface, and the cameras include abilities such as the live web page, LED display for alerting, audio alerts and physical relay outputs. When done right, these features will all follow cybersecurity best practices which is important for any network solution today, including changing default passwords and establishing authentication methods. The ability to receive system alerts is typically configured through the camera’s webpage interface These types of thermal cameras can also integrate with turnstile systems, VMS platforms and access control systems. This is typically done through the integration of a relay output, activated by a triggered temperature anomaly event on a thermal imaging camera which can then be used for activities such as locking a turnstile, or through access control and video systems to send an email or provide an automated contagion report for contact tracing. These capabilities and integrations extend the monitoring capability above that of the standalone solution. The camera can be configured to monitor a specific range of low and high alerts. Users can determine the actions that should be taken when that alert exceeds the preset low or high threshold. These actions include things like a bright and easy-to-see LED can provide visual notification through pulsing and flashing lights as an example. Q: What about system maintenance? Does a thermal imaging camera require regular service in order to operate accurately? First it’s important to make sure the system is calibrated. This can be done after the unit stabilises for at least 30 minutes to establish the initial reference temperature source known as the blackbody. Calibrations conducted before this warm up and stability time period can throw off accuracy. Also, as part of your system maintenance schedule you will want to perform a calibration check of the blackbody device every 12 months, along with following recommendations of the FDA and IEC. If you install the solution and don’t perform maintenance and the blackbody calibration certificate expires, over time there’s a risk that the device will experience drift and a less accurate reading will result. There’s a risk that the device will experience drift and a less accurate reading will result Q: What final pieces of advice do you have for either an integrator who plans to install a thermal imaging camera system or an end user who plans to invest in this solution? Before you buy a thermal imaging camera check to see if the manufacturer ships the camera with a calibration certificate. Also, become familiar with FDA’s guidance released in April 2020, Enforcement Policy for Telethermographic Systems During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency. This document places thermal/fever products for adjunctive use under the category of a Class I medical devices and subject to its regulatory control. Driven by these regulations and categorisation, users need to understand specifically what is required to meet the required level of accuracy for successful detection. While thermal imaging camera systems are more complex than traditional surveillance cameras, they can prove to be a valuable resource when set up, configured and maintained properly.

Recognising the importance of security officers to promote safety
Recognising the importance of security officers to promote safety

The general public doesn’t give much thought to the important role of security officers in creating and promoting safer environments. The low-profile work of security officers is vital to protecting people, places and property. During the pandemic, newer aspects to that role have emerged. Security personnel have been called on to perform diverse tasks such as managing queues at the supermarket, safeguarding testing centres and hospitals, ensuring food deliveries, and supporting police patrols. The British Security Industry Association (BSIA) and two other organisations in the United Kingdom are joining forces to raise awareness of the work of security officers and to recognise the vital importance of the duties they perform. BSIA, a trade association, includes members who are responsible for 70% of privately provided UK security products and services, including security guarding, consultancy services, and distribution and installation of electronic and physical security equipment. BSIA, the Security Institute and the Security Commonwealth Joining BSIA in the awareness campaign are the Security Institute, a professional security membership body; and the Security Commonwealth, which is comprised of 40 organisations from across the security landscape with common objectives to build professionalism, raise standards and share best practices. “The recognition of security officers as key workers is the start of a re-appraisal of what service they provide to the community in keeping the public safe and secure,” says Mike Reddington, BSIA Chief Executive. “As we exit lockdown and have to navigate public spaces again, [security officers] will have a crucial role in supporting public confidence. We are working closely with the Police and all other public bodies to find the best way to achieve this.” Security officers acknowledged as key workers The campaign will showcase security professionals as a respected, valued, professional service provider and a key worker that is acknowledged and embedded in daily lives. The British Security Industry Association (BSIA) and two other organisations in the United Kingdom are joining forces to raise awareness of the work of security officers “Great effort has been invested in the professional standards and capabilities of frontline [security] officers, and they have proven their worth during the coronavirus crisis in the UK,” says Rick Mounfield, Chief Executive, the Security Institute. “They, along with the wider security sector, deserve to be recognized, respected and appreciated for the safety and security they provide across the United Kingdom.” “[We are working to] build professionalism, raise standards and share best practices, and I hope this campaign can make more people recognise the changes we have all made and continue to make,” says Guy Matthias, Chairman of the Security Commonwealth (SyCom). The industry will be reaching out to companies, professionals, and organisations in the sector to participate in the campaign. The hope is that, over the coming weeks as lockdown is eased, the industry can play its part to ensure that the country emerges with confidence to start to recover and build for the future. Private security more important than ever The campaign will showcase security professionals as a respected, valued, professional service provider Across the pond in the United States, law enforcement professionals are facing a crisis of confidence during a time of civil unrest as protestors call to “defund the police” and to otherwise undermine and/or recast law enforcement’s role in preserving the peace and ensuring public safety. If an upshot is that public policing is starved of resources, the role of private security to supplement their mission is likely to increase. In short, the role of private security is more important than ever on both sides of the Atlantic. Public recognition of that role is welcome, obviously. In any case, the importance of their role protecting people, places and property has never been greater.