An In-Depth Review of AppTrana – A Perfect Application Security Solution from Indusface:
Nowadays, website security is no more an option, as any internet facing site is prone to attacks. Attackers do it for a variety of reasons, some do it for fame, some do it to get competitive info and some do it just for fun.
No matter what the reason, the breach is costly and regardless of the company is big or small, every internet facing website needs a comprehensive security solution.
What You Will Learn:
AppTrana Review – Application Security For The Masses
Today we are going to review one of the comprehensive application security solutions around i.e. AppTrana from Indusface.
AppTrana comes with an integrated solution that provides customers with web application scanner (WAS), completely managed web application firewall (WAF), integrated DDOS protection and website accelerator (CDN).
AppTrana takes a unique approach to application security and advocates identification of application risk posture and fortification of the weakest links for effective protection. Its approach is different from most of the WAF solution as it provides a generic solution and lets management to the customer.
Though the other solutions provide an option to import scan results from different vendors due to the diverse nature of solutions, it’s generally very hard to find a solution that provides automated rules which patch these vulnerabilities immediately and it becomes the responsibility of the customer to ensure that the vulnerabilities are patched.
But in most cases, customers do not have the expertise to do a good job. However, With AppTrana, the customer need not worry about expertise. AppTrana provides comprehensive coverage through its managed offering where security experts write the rules without expecting the customers to have any expertise.
Suggested Read => Perfect Web Application Security Testing Guide
Enlisted below are some of the prominent features of AppTrana.
#1) Uncover Vulnerabilities Non-Stop: AppTrana provides you with the ability to conduct frequent automated scans that look for OWASP Top 10 vulnerabilities. Customers can also choose to do grey box testing by providing valid credentials.
#2) Manual Pen-Testing: Customer can also request for manual pen-testing, where security experts check your site to find if there are any complex vulnerabilities in the business layer which the hackers can exploit.
#3) Patch Vulnerabilities Immediately: Vulnerabilities found can be fixed instantly through AppTrana WAF which comes with core rule sets built by experts that protect your website against OWASP Top 10 vulnerabilities.
#4) Checks for False Positives: Customers can request experts to monitor your site for false positive and tweak the site rules to ensure zero false positives.
#5) Custom Patches: If in case the vulnerabilities are not fixed by the core rules then custom patches which would be written by security experts ensuring comprehensive protection can be requested.
#6) Deploy in Minutes Without Downtime: The entire deployment happens within a span of a few minutes. All sites are automatically on-boarded to cater to both HTTP & HTTPS traffic. AppTrana built bottom up on AWS is architected by keeping security & performance in mind.
The highly reliable & scalable architecture ensures that the machines auto-scale based on load, by safeguarding against any latency. There is no need for any additional infra deployments from the customer side.
#7) DDoS Protection: AppTrana ensures site availability through advanced DDOS protection. AppTrana provides 2 levels of DDOS protection.
- Out of the box rate control rules and captcha protection in case of suspected DDOS attacks.
- Automatic alerts and custom rules are written by experts in case of sustained Layer 7 DDOS attacks based on the attack pattern to thwart more sophisticated attacks.
Also Read => List of the Top DDOS Attack Tools
#8) Speed Up Website Performance: AppTrana in partnership with Tata Communications provides integrated CDN that helps to improve the site performance. Tata Communications’ Whole Site Acceleration (WSA) technology delivers blazing fast speed and carrier-grade resilience that is required to ensure that the content is always instantly accessible worldwide
AppTrana – Under the Hood
In this AppTrana review, we are going to onboard a site on a premium plan and walk through the dashboard.
You can perform a hands-on test for your website or web application by creating a free trial AppTrana account here.
As we have chosen a premium plan, there is no free trial and you will be asked to provide Credit Card information or provide a license. In case if you want to check out the product first, then try the Advance plan which comes with a 14 days free trial. For completeness, we will proceed with the premium plan in this review.
The next step will be to provide the site that you want to protect, once you provide that, check with the configuration and ensure that it is accurate. CDN is enabled by default (Actually it is a two-step process which will be explained later).
Next, the customer would be requested to provide their SSL certificate. This is required so that the https traffic can be decrypted and monitored for attacks.
Alternately, the customer can choose to use Letsencrypt free certificate where AppTrana will automatically generate a certificate for the domain and the customer need not provide any certificate. The customer can also choose to buy an Entrust certificate from Indusface.
That’s it, now you will be asked to make CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and thereby protection will start immediately. The best part is that there is no downtime during the entire onboarding.
Once the CNAME change is done the site is on-boarded into the AppTrana SaaS Infrastructure. With this, the protection of the site gets started.
- Sites by default get on-boarded in block mode with Advanced Rules applied to the site. According to Indusface, these rules are fine-tuned to zero-false positive by ensuring that there is no disruption to the access of the site.
- Also, the Premium Rules are put in log mode and is monitored by security experts from Indusface. Based on the monitoring, the Indusface security experts make the necessary changes to the rules and customize it to meet the application need. Later, within 14 days, the site is moved to Premium Rules. This option is only available only for Premium users.
Let’s look at the portal now. When you log in to the portal, you will land on the dashboard page. This is a clean high-level summary page that gives you the details on the website configured, their status around vulnerabilities found, attacks seen and if any actions are required.
The User can select any site and drill down deeper to get more details. If you move to the Summary page, you will see additional details about the state of the website selected.
This page is essentially a single view that provides information on the current state of the site and the admin can look at this page and understand if any further action is required from his end and understand how the protection is working.
Understanding Risk Profile
Now let's take a look at the detect page, where the user can get the details of vulnerabilities found in the site. It provides detailed information on the kind of vulnerabilities found.
One can also find the protection/patch status of the vulnerabilities found. This page provides information like if the vulnerability can be protected by Advance Rules, Premium Rules or Custom Rules. If vulnerability can be protected by Custom Rule, then the user can request for the same by clicking on the Request Custom rule button.
The request is sent to the Indusface team and the security experts write the rules for you. The premium plan comes with an unlimited custom rule. The advance plan comes with 2 custom rules.
The users can also start the automated scan at any point from here for any number of times. Also, they can request for Manual Pen-Testing (PT). PT is done by security experts and they look for vulnerabilities that cannot be identified by the automated scans.
PT scan requests go to Indusface team and the security experts reach out to the user to understand the application better before commencing the test. Generally, it is completed within 4 weeks from the request. This option is available only in the Premium Subscription and is restricted to 1 scan a year. For additional scans, a separate license needs to be bought.
A User can also download a detailed report of the vulnerabilities found in the site. It provides complete detail of the vulnerability found and the steps that can be taken to mitigate.
Protection & Monitoring
As AppTrana is a completely managed solution, the protection & monitoring page is more of analytics view which helps the users understand what is being protected, what kind of attacks are blocked, etc. In general, not much action is expected to be taken by users.
Users can look at the details and then choose to blacklist/whitelist IP, country or URI.
Apart from that for any other tweaks or changes, AppTrana expects the users to reach out to their 24*7 support team and they do customized changes at the backend. Essentially a user is not expected to be an expert in security, and they offload the management of WAF from the customers.
The monitoring page provides information around the changes made by the security team for the site and efficacy of the same.
The settings page provides an option for the users to make any changes to the domain that they have on-boarded for protection. They can change the forwarding address, and change plan update SSL certificate from here.
WAF Settings tab provides some sleek options that can come in handy in case of any issues.
There are multiple states that WAF can be in.
- Log & Block: This is the default state and the rules will be in the block mode.
- Log Mode: This is used during any debugging stage. When WAF is moved to the log mode all the rules will continue to monitor the traffic, but the action will be to log instead of blocking malicious requests. Comes in handy to debug any rules that are misbehaving.
- Disabled: This state essentially means that WAF is disabled and the traffic is passed through WAF.
- Bypass: This is an interesting option with AppTrana. This is essentially an equivalent to a fail-open option that you see with on-premise vendors.
By now, you know that for protection to work, you need to make traffic pass through AppTrana Infra, and for effective protection of Origin, AppTrana recommends restricting access to backend only from AppTrana’s IP.
Now if there are any unforeseen issue or if any change in the backend needs to be tested without WAF for some time, then the users would have to make CNAME change and whitelist the external IP’s which in any organization is a cumbersome process.
With the bypass feature, AppTrana has provided a nice workaround in the bypass mode, the traffic does not go through WAF infra, but it just goes through a TCP proxy and reaches the backend from same AppTrana’s IP by effectively working as fail open and comes in very handy during troubleshooting.
As mentioned before, CDN enablement is a 2-step process, once you have on-boarded in WAF, the user looking for website acceleration should click the enable button for CDN tab, at this point the Indusface team monitors the site and adds the required Cache settings.
Once they have done the necessary settings, the customer can come here and update the Cache Status to ON to get the CDN enabled.
A customer can choose from any one of the below plans to start the AppTrana Journey.
- Basic Plan: Free for life. Get started by Identifying Risk Posture of the site through AppTrana’s automated scanner.
- Advance Plan: At 99$/month with a 14-day free trial. Get started with immediate protection to the vulnerabilities detected.
- Premium Plan: At 399$/month, you will get complete AppTrana Protection. Comes with 1 premium scan for every 12 months and unlimited custom rules.
AppTrana is a complete application security solution with a free basic and other premium plans, they have ensured that application security is now available to the masses.
The management part is a bit comprehensive in terms of managing and customizing the rules to ensure if WAF works in block mode seamlessly.
If you are an SME or MSE who is looking for an application security solution that works, you can give it a try. Also, feel free to share your thoughts in the comments section below!