Vivek Gopalan, the Product Head at Indusface

Q&A with Indusface: On Protection Web Applications and importance of Managed WAF

By Community Team

In this age of rapid digitalization with traditional business and its operations moving to the cloud, application security has become paramount. A recent study suggests that cost of cyberattacks worldwide in 2021 could be around $ 6 Trillion; about 92% of web applications have security flaws that can be exploited and only 2% of applications have proper protection in place.

To address these challenges Indusface has come up with a unique comprehensive SaaS based application security solution, AppTrana, that is quick to deploy and fully managed by Indusface so that organizations can concentrate on their business.

SourceForge had the chance to speak with Vivek Gopalan, the Product Head at Indusface, to discuss the value of application security in today’s digitally-connected world. Vivek also discusses the challenges that the industry is facing with traditional solutions and why management of application security has to be done by experts.

Vivek Gopalan, the Product Head at Indusface

Vivek Gopalan, the Product Head at Indusface

To begin with can you please share with us a brief overview of your company Indusface?

Indusface is an award winning SaaS based application security leader founded in 2012 to address the challenge around lack of security expertise  that many organisations are facing when it comes to application security. Application security is always in flux and constantly evolving which means any solution protecting the web application has to keep pace, constantly evolve and be managed continuously. Unfortunately not many organisations have such expertise in-house. It is to address this that Indusface built its fully managed app sec solution AppTrana.

Our revolutionary solution is backed by years of research and development and is the only solution in the market that is comprehensive with perfect amalgamation of machine learning and human intelligence. Our dedicated team in the Sig-dev labs constantly monitor the threat landscape and develop innovative solutions to protect web applications. Indusface has wide industry recognition with mention in Gartner/Forrester reports and is also a winner of many awards including DSCI best security company award, Economic Times- Top 25 hot startups and AWS – Regional Innovative Technology Partner award.

What are the key markets you serve and who are your current customers?

One of the key indicators of Indusface’s success is its customer base. With more than 2000 customers worldwide, Indusface protects thousands of applications every day. With major presence in India, being leaders in the market, Indusface has also gone global with customers from more than 70 countries.

Indusface’s solution is adopted by companies in all key verticals ranging from BFSI, government, ecommerce, health sectors, large enterprises to new age start-ups. Some of our key deployments include websites of leading bank, visa facilitation company, trading sites.

What is WAF and what are its limitation in its traditional form?

WAF (Web Application firewall) is a common solution used for protection web applications. In lay man terms, it is a device deployed before the web application server, so that traffic to the application is inspected for malicious traffic and blocked.  WAF has been around for a while and its major adoption can be attributed to compliance. Compliances like PCI DSS recommends WAF to be deployed for ensuring application protection.

Though WAF has been around for a while now, studies suggest only 2% of web applications have WAF deployed properly. Couple of major limitations with traditional solutions out there in the market, including leading vendors, are the one size fits all approach that these solutions take as well as the expectation that customers will have expertise to manage WAF.

Let me elaborate. With most vendors, when you onboard a site in their solution, they provide a set of default rules that can be applied to all applications. There is no intelligence of the application’s specific needs nor is the risk posture of the application taken into account. These solutions do not understand what the weakness of the application is and where it is vulnerable, instead they provide certain set of default rules and expect security to work. In most cases it does not!

Another major limitation with traditional solution is the expectation that customers will have expertise to fine tune WAF rules. When it comes to WAF, two key metrics that one has to track is FP (false positive – blocking legitimate traffic thinking it is malicious) and FN (false negative – not blocking malicious traffic). There is no easy answer here. Every WAF needs to be fine-tuned based on specific web application needs to assure minimal FPs & FNs. Unfortunately, in case of traditional WAFs, customers are expected to fine tune the rules for FPs and FNs. However, as customers are not security experts, most WAF projects fail and WAFs are deployed only in learning mode i.e. they will not block malicious requests and instead only provide alerts for the organization to take further action. As you can tell, this approach is not very effective.

How does Indusface approaches these challenges and address them?

Indusface takes a unique approach to this problem through AppTrana. First and foremost, instead of taking a one-size fits all approach, AppTrana understands the application’s characteristics and tailor’s protection to them. AppTrana comes with inbuilt application scanner that identifies the vulnerabilities in the application. So, when an application is onboarded on AppTrana, the customer can immediately start a scan to identify the risk posture of their application.

AppTrana also has an inbuilt WAF that is completely managed by Indusface. When a site is onboarded, WAF is enabled in block mode on day zero i.e. right away. Initially a set of rules called Advance rules that Indusface has fine-tuned to ensure zero FPs will be enabled allowing protection to start immediately. The site’s traffic is monitored by Indusface experts for 14 days and another, more aggressive set of rules called Premium rules are enabled in block mode after making necessary site-specific tweaks to avoid any FPs.

Once the scan is complete, through the integrated dashboard, customers can get clear visibility of all vulnerabilities that are identified and how many of them are protected by WAF default rules. There is also an option to request for custom rules for vulnerabilities not protected by default. Customers can request for custom rules through a single click from the AppTrana portal and our security experts will write the rules for them.

If you look at the end to end experience, the customer is not expected to have any security expertise and the entire management is done by us. We also make sure that the site-specific risk posture is identified and addressed to provide complete protection.

AppTrana

Can you elaborate more on Managed WAF? Many vendors do claim they also provide Managed WAF, how are you different?

Yes, many vendors do claim Managed WAF, but it comes down to the details. When they say managed WAF it is mostly limited to having the default rules updated. i.e. the default rules that comes with WAF will be constantly updated by vendor, but any site-specific tweaks and management is mostly left to customer. Most vendors provide GUI for customers to write rules and expect them to write them based on application need. Even the very few vendors who do write custom rules for customers do not try to understand applications unique characteristics before writing them. They expect customers to provide all necessary information including technical details before writing the rules which in real world is not practical since, as I said before, not many customers have the expertise.

In case of AppTrana, management is complete. We do not expect customers to have any security expertise. When a site is onboarded, we monitor it for False Positives and tweak the rules to meet the application’s need. If there are any custom requirements, then custom rules are written by our security experts after understanding the customer need. In essence Indusface acts as an extended security team to the customer which is generally not the case with other vendors.

We hear a lot about SaaS based Cloud WAF, what’s the difference? Why is Cloud WAF required?

Traditionally, WAF were appliances that were deployed by vendors in customer premises before the application server. Such deployments meant the deployment and maintenance of infrastructure was the customer’s responsibility. It also came with huge limitations around scale, as one needed to size infrastructure upfront based on traffic anticipated and incurred huge Capex upfront. Updating and management of WAF rules were also cumbersome in such deployments.

With rapid digitalization and movements towards cloud, there is a need for better deployment model. That is why Cloud WAF has become prominent. In case of cloud WAF, infrastructure, software and rules are managed by the vendor. AppTrana is one such example of Cloud WAF which is built ground up for the cloud. AppTrana has its infrastructure in multiple regions and is infinitely scalable based on traffic. Customers need not worry about scale; all the customer needs to do is route their traffic through AppTrana and the traffic will be inspected to block malicious traffic resulting in only legit traffic reaching the customer infrastructure. In such model, there is no upfront Capex and WAF is provided as a Service to customer and they pay for what they use.

Tell us more about AppTrana. What are its key features and capabilities?

I have talked a lot about AppTrana and how it differs from traditional vendors, but that was just the tip of the iceberg. AppTrana is the only comprehensive application security solution in the market that comes with integrated WAF, Web Application Scanner and CDN. We complement the automated scanner with manual pen-testing, which customers can request, to identify business logic vulnerabilities. This ensures that the complete risk posture is identified and immediately protected through WAF. Adding custom rules written by our security experts provides complete protection.

AppTrana is the only solution where onboarding happens with zero downtime and WAF is enabled in block mode by default. It is a testimony to our efficacy that nearly 96% of our deployments are in block mode all the time. We also provide a comprehensive managed DDOS mitigation and bot protection which enables sites to be available all the time; this is backed by a strict SLA. Not only that, since we understand security and speed is equally important, AppTrana comes with integrated CDN that enables customer to choose application security without compromising speed.

You did mention about Pen-testing? Can you elaborate a bit more? How is it different from automated scan?

Our automated scanner is home grown and built to scan new age sites and I am proud it does a very good job, but no automated scan can find all vulnerabilities. There will be vulnerabilities which is application or business specific that can be only identified through manual checks. Many a time, customers do just automated scans and get false confidence which is very dangerous. Though there might not be any critical vulnerabilities identified by automated scanners, the entire risk posture won’t be known until manual pen-testing is done.

When a pen-testing is requested our security experts working with the customer understand the nature of the application and perform ethical hacking to identify vulnerabilities that otherwise would go unnoticed. This means that the entire risk posture of the application is accurately found, and appropriate corrective action is taken.

Security landscape is ever evolving. How does Indusface ensure that they are up to date and are ahead of the curve?

Our signature development team has years of experience in this field and they constantly monitor the industry landscape to understand new nature of vulnerabilities and attacks. They constantly keep track of zero-day vulnerabilities and ensure both the scanner and WAF rules are up-to date. We send out a zero-day coverage report every month which talks about any significant vulnerabilities that are noteworthy and also provides the coverage status of our scanner & WAF. In general, 90% of vulnerabilities are protected by default rules and rest through custom rules.

Our team also keeps researching on different ways to improve protection. Our security experts who also do pen testing for 1000s of application every year, garner great insights that is fed into the research team to innovate.  To be frank, there is no perfect solution. Application security is a constant race to stay ahead of the hackers and through the collective intelligence that our team acquires by securing 1000s of application, enables us to stay ahead of the curve.

Related: Best Website Security Software

Looking ahead what key trends do you see? How is Indusface going to address it?

Due to rapid digitalization and move towards cloud with traditional business which were risk averse now adopting cloud, the boundaries of private data centers and public cloud is quickly disappearing and organizations are forced to adopt the new normal of having all their applications available online and users connecting from all over the world. This means the scope of application security is drastically increasing and risk of exposure for organizations is growing multifold. With evolution of machine learning and AI, there is and will be lot of talk around securing applications through machine learning. Hackers will continue to take advantage of improvements in technology to launch new forms of attacks.

Organizations will need solutions that quickly evolve, adapt and manage their security as they grow. Machine learning will not become the silver bullet that it is touted as there will remain a need for human augmentation. Indusface is striving to address these challenges through a perfect blend of machine learning & human intervention.