WaaS security and threat detection overview
Vulnerabilities in web applications are frequently exploited by attackers, as they are a common and dynamic interface for almost every organization on the internet.
This document describes the security aspects of WaaS. We are continuously working with security and the current setup is subject to change at any time.
Standard protection with Azure
Currently, WaaS is hosted as an App Service on Microsoft Azure. Requests to applications running on top of App Service go through several gateways deployed in Azure datacentres around the world, responsible for routing each request to its corresponding application.
OS and runtime patching in Azure App Service
As App Service is a Platform-as-a-Service, the OS and application stack are managed by Azure; Comprend only need to manage your application and its data.
Azure manages OS patching on two levels, the physical servers and the guest virtual machines (VMs) that run the App Service resources. Both are updated monthly, which aligns to the monthly Patch Tuesday schedule. These updates are applied automatically, in a way that guarantees the high-availability SLA of Azure services.
When severe vulnerabilities require immediate patching, such as zero-day vulnerabilities, the high-priority updates are handled on a case-by-case basis.
Microsoft Antimalware for Azure is built-in to Cloud Services products and security patches are automatically deployed.
Microsoft Antimalware is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. Protection may be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.
Along with Intrusion detection and denial of service attack (DDoS) prevention systems, Microsoft operate regular penetration testing to help identify and mitigate threats from both inside and outside Microsoft.
FTP(S), TLS, HTTPS
By default, FTP is disabled on all Azure App Services that Comprend create for our customers, FTPS is enabled where we require access for deployments.
Comprend also enforce HTTPS with TLS 1.2 on all sites that require to prevent an attacker from intercepting traffic to read and modify the data transferred between the victim and the website.
Azure Security Centre
Azure Security Center helps Comprend prevent, detect, and respond to threats with increased visibility into and control over the security of the Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
Azure Security Center also helps with security operations by providing a single dashboard that surfaces alerts and recommendations that can be acted upon immediately.
Web applications are increasingly targeting malicious attacks that exploit commonly known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few.
The following additional services are included on our WaaS platform to add an additional level of security and resilience.
Content Delivery Network (CDN)
To build a resilient and scalable web application, WaaS sites include a Content Delivery Network (CDN) to prevent Distributed Denial of Service attacks. The Content Delivery Network also hides the underlying application infrastructure by acting as a reverse proxy. Traffic is encrypted end-to-end with HTTP Secure (HTTPS).
The Content Delivery Network also enables performance enhancements as static and dynamic content may be cached and delivered from a point of presence closes to the end user.
WaaS CDN setup includes all traffic, not only resource files like CSS like most other setups.
Web Application Firewall (WAF) (Stackpath)
Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the application topology. A centralized Web Application Firewall (WAF) helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a web application firewall enabled application gateway easily.
Weekly Vulnerability scans
Detectify is an automated vulnerability scanner that helps you stay on top of threats. They work closely with the ethical hacking community to turn the latest security findings into vulnerability tests. This enables us to access exclusive security research and test your web site for over a thousand vulnerabilities including the OWASP Top 10 2017 and 2013.
Website Performance and Availability Monitoring
All WaaS websites uses Pingdom, which alerts in realtime if the website is not available.