How To Perform Web Application Security Testing Using AppTrana

An In-Depth Review of AppTrana – A Perfect Application Security Solution from Indusface: 

Nowadays, website security is no more an option, as any internet-facing site is prone to attacks. Attackers do it for a variety of reasons, some do it for fame, some do it to get competitive info and some do it just for fun.

No matter what the reason, the breach is costly, and regardless of whether the company is big or small, every internet-facing website needs a comprehensive security solution.

AppTrana Review: Application Security For The Masses

Today we are going to review one of the comprehensive application security solutions around i.e. AppTrana from Indusface.

AppTrana comes with an integrated solution that provides customers with a web application scanner (WAS), completely managed web application firewall (WAF), integrated DDOS protection, and website accelerator (CDN).

AppTrana takes a unique approach to application security and advocates the identification of application risk posture and fortification of the weakest links for effective protection. Its approach is different from most WAF solutions as it provides a generic solution and lets management to the customer.

Though the other solutions provide an option to import scan results from different vendors due to the diverse nature of solutions, it’s generally very hard to find a solution that provides automated rules which patch these vulnerabilities immediately and it becomes the responsibility of the customer to ensure that the vulnerabilities are patched.

But in most cases, customers do not have the expertise to do a good job. However, With AppTrana, the customer need not worry about expertise. AppTrana provides comprehensive coverage through its managed offering where security experts write the rules without expecting the customers to have any expertise.

Suggested Read => Perfect Web Application Security Testing Guide

Salient Features

Enlisted below are some of the prominent features of AppTrana.

#1) Uncover Vulnerabilities Non-Stop: AppTrana provides you with the ability to conduct frequent automated scans that look for OWASP Top 10 vulnerabilities. Customers can also choose to do grey box testing by providing valid credentials.

#2) Manual Pen-Testing: Customers can also request manual pen-testing, where security experts check your site to find if there are any complex vulnerabilities in the business layer that the hackers can exploit.

#3) Patch Vulnerabilities Immediately: Vulnerabilities found can be fixed instantly through AppTrana WAF which comes with core rule sets built by experts that protect your website against OWASP Top 10 vulnerabilities.

#4) Checks for False Positives: Customers can request experts to monitor your site for false-positive and tweak the site rules to ensure zero false positives.

#5) Custom Patches: If in case the vulnerabilities are not fixed by the core rules then custom patches which would be written by security experts ensuring comprehensive protection can be requested.

#6) Deploy in Minutes Without Downtime: The entire deployment happens within a span of a few minutes. All sites are automatically onboarded to cater to both HTTP & HTTPS traffic. AppTrana built bottom-up on AWS is architected by keeping security & performance in mind.

The highly reliable & scalable architecture ensures that the machines auto-scale based on load, by safeguarding against any latency. There is no need for any additional infra deployments from the customer side.

#7) DDoS Protection: AppTrana ensures site availability through advanced DDOS protection. AppTrana provides 2 levels of DDOS protection.

•  Out-of-the-box rate control rules and captcha protection in case of suspected DDOS attacks.
•  Automatic alerts and custom rules are written by experts in case of sustained Layer 7 DDOS attacks based on the attack pattern to thwart more sophisticated attacks.

Also, Read => the List of the Top DDOS Attack Tools

#8) Speed Up Website Performance: AppTrana in partnership with Tata Communications provides an integrated CDN that helps to improve the site performance. Tata Communications’ Whole Site Acceleration (WSA) technology delivers blazing fast speed and carrier-grade resilience that is required to ensure that the content is always instantly accessible worldwide

AppTrana: Under the Hood

In this AppTrana review, we are going to onboard a site on a premium plan and walk through the dashboard.

Getting Started

You can perform a hands-on test for your website or web application by creating a free trial AppTrana account here.

As we have chosen a premium plan, there is no free trial and you will be asked to provide Credit Card information or provide a license. In case you want to check out the product first, then try the Advance plan which comes with a 14-day free trial. For completeness, we will proceed with the premium plan in this review.

The next step will be to provide the site that you want to protect, once you provide that, check with the configuration and ensure that it is accurate. CDN is enabled by default (Actually it is a two-step process which will be explained later).

Next, the customer would be requested to provide their SSL certificate. This is required so that the HTTP traffic can be decrypted and monitored for attacks.

Alternately, the customer can choose to use Letsencrypt free certificate where AppTrana will automatically generate a certificate for the domain and the customer need not provide any certificate. The customer can also choose to buy an Entrust certificate from Indusface.

That’s it, now you will be asked to make a CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and thereby protection will start immediately. The best part is that there is no downtime during the entire onboarding.

Portal Review

Once the CNAME change is done the site is on-boarded into the AppTrana SaaS Infrastructure. With this, the protection of the site gets started.

• Sites by default get on-boarded in block mode with Advanced Rules applied to the site. According to Indusface, these rules are fine-tuned to zero-false positive by ensuring that there is no disruption to access to the site.
• Also, the Premium Rules are put in log mode and are monitored by security experts from Indusface. Based on the monitoring, the Indusface security experts make the necessary changes to the rules and customize them to meet the application’s needs. Later, within 14 days, the site is moved to Premium Rules. This option is only available only for Premium users.

Let’s look at the portal now. When you log in to the portal, you will land on the dashboard page. This is a clean high-level summary page that gives you the details on the website configured, their status around vulnerabilities found, attacks seen, and if any actions are required.

The User can select any site and drill down deeper to get more details. If you move to the Summary page, you will see additional details about the state of the website selected.

This page is essentially a single view that provides information on the current state of the site and the admin can look at this page and understand if any further action is required from his end and understand how the protection is working.

Understanding Risk Profile

Now let’s take a look at the detect page, where the user can get the details of vulnerabilities found on the site. It provides detailed information on the kind of vulnerabilities found.

One can also find the protection/patch status of the vulnerabilities found. This page provides information like if the vulnerability can be protected by Advance Rules, Premium Rules, or Custom Rules. If vulnerability can be protected by Custom Rule, then the user can request the same by clicking on the Request Custom rule button.

The request is sent to the Indusface team and the security experts write the rules for you. The premium plan comes with an unlimited custom rule. The advance plan comes with 2 custom rules.

The users can also start the automated scan at any point from here for any number of times. Also, they can request Manual Pen-Testing (PT). PT is done by security experts and they look for vulnerabilities that cannot be identified by automated scans.

PT scan requests go to the Indusface team and the security experts reach out to the user to understand the application better before commencing the test. Generally, it is completed within 4 weeks from the request. This option is available only in the Premium Subscription and is restricted to 1 scan a year. For additional scans, a separate license needs to be bought.

A User can also download a detailed report of the vulnerabilities found on the site. It provides complete detail of the vulnerability found and the steps that can be taken to mitigate it.

Protection & Monitoring

As AppTrana is a completely managed solution, the protection & monitoring page is more of an analytics view which helps the users understand what is being protected, what kind of attacks are blocked, etc. In general, not much action is expected to be taken by users.

Users can look at the details and then choose to blacklist/whitelist IP, country, or URI.

Apart from that for any other tweaks or changes, AppTrana expects the users to reach out to their 24*7 support team and they do customized changes at the backend. Essentially a user is not expected to be an expert in security, and they offload the management of WAF from the customers.

The monitoring page provides information about the changes made by the security team for the site and the efficacy of the same.

Settings Page

The settings page provides an option for the users to make any changes to the domain that they have onboarded for protection. They can change the forwarding address, and change the plan update SSL certificate from here.

WAF Settings tab provides some sleek options that can come in handy in case of any issues.

There are multiple states that WAF can be in.

• Log & Block: This is the default state and the rules will be in the block model.
• Log Mode: This is used during any debugging stage. When WAF is moved to the log mode all the rules will continue to monitor the traffic, but the action will be to log instead of blocking malicious requests. Comes in handy to debug any rules that are misbehaving.
• Disabled: This state essentially means that WAF is disabled and the traffic is passed through WAF.
• Bypass: This is an interesting option with AppTrana. This is essentially equivalent to a fail-open option that you see with on-premise vendors.

By now, you know that for protection to work, you need to make traffic pass through AppTrana Infra, and for effective protection of Origin, AppTrana recommends restricting access to the backend only from AppTrana’s IP.

Now if there are any unforeseen issues or if any change in the backend needs to be tested without WAF for some time, then the users would have to make a CNAME change and whitelist the external IPs which in any organization is a cumbersome process.

With the bypass feature, AppTrana has provided a nice workaround in the bypass mode, the traffic does not go through WAF infra, but it just goes through a TCP proxy and reaches the backend from the same AppTrana’s IP by effectively working as fail open and comes in very handy during troubleshooting.

Website Acceleration

As mentioned before, CDN enablement is a 2-step process, once you have onboarded in WAF, the user looking for website acceleration should click the enable button for the CDN tab, at this point the Indusface team monitors the site and adds the required Cache settings.

Once they have done the necessary settings, the customer can come here and update the Cache Status to ON to get the CDN enabled.

AppTrana Pricing

A customer can choose from any one of the below plans to start the AppTrana Journey.

• Basic Plan: Free for life. Get started by Identifying the Risk Posture of the site through AppTrana’s automated scanner.
• Advance Plan: At 99$/month with a 14-day free trial. Get started with immediate protection against the vulnerabilities detected.
• Premium Plan: At 399$/month, you will get complete AppTrana Protection. Comes with 1 premium scan for every 12 months and unlimited custom rules.

Conclusion

AppTrana is a complete application security solution with free basic and other premium plans, they have ensured that application security is now available to the masses.

The management part is a bit comprehensive in terms of managing and customizing the rules to ensure that WAF works in block mode seamlessly.

If you are an SME or MSE who is looking for an application security solution that works, you can give it a try. Also, feel free to share your thoughts in the comments section below!