How To Perform Web Application Security Testing Using AppTrana

An In-Depth Review of AppTrana – A Perfect Application Security Solution from Indusface: 

With any kind of internet-facing site prone to attacks, website security is no longer an option. Attackers do it for a variety of reasons, some do it for fame, others do it to get competitive info and some do it just for fun.

No matter what the reason, the breach is costly, and regardless of whether the company is big or small, every internet-facing website needs a comprehensive security solution. Let’s look at one such effective tool.

AppTrana Review: Application Security for the Masses

Today we are going to review one of the comprehensive application security solutions around i.e. AppTrana from Indusface.

AppTrana comes with an integrated solution that provides customers with a web application scanner (WAS), a completely managed web application firewall (WAF), integrated DDOS protection, and website accelerator (CDN).

AppTrana takes a unique approach to application security and advocates the identification of application risk posture and fortification of the weakest links for effective protection. This approach is different from most WAF solutions as it provides a generic solution and lets manage the customer.

Though other solutions provide an option to import scan results from different vendors due to the diverse nature of solutions, it’s generally very hard to find a solution that provides automated rules which patch these vulnerabilities immediately and it becomes the responsibility of the customer to ensure that the vulnerabilities are patched.

But in most cases, customers do not have the expertise to do a good job. However, with AppTrana, the customer need not worry about expertise. AppTrana provides comprehensive coverage through its managed offering where security experts write the rules without expecting the customers to have any expertise.

Suggested Read => Perfect Web Application Security Testing Guide

Salient Features

Enlisted below are some of the prominent features of AppTrana.

#1) Uncover Vulnerabilities Non-Stop: AppTrana provides you with the ability to conduct frequent automated scans that look for OWASP Top 10 vulnerabilities. Customers can also choose to do grey box testing by providing valid credentials.

#2) Manual Pen-Testing: Customers can also request manual pen-testing, where security experts can check your site to see if there are any complex vulnerabilities in the business layer that the hackers can exploit.

#3) Patch Vulnerabilities Immediately: Vulnerabilities found can be fixed instantly through AppTrana WAF, which comes with a core rule set built by experts that protects your website against OWASP Top 10 vulnerabilities.

#4) Checks for False Positives: Customers can request experts to monitor your site for false-positives and tweak the site rules to ensure zero false positives.

#5) Custom Patches: If in case the vulnerabilities are not fixed by the core rules then custom patches which will be written by security experts ensuring comprehensive protection can be requested.

#6) Deploy in Minutes Without Downtime: The entire deployment happens within a span of a few minutes. All sites are automatically onboarded to cater to both HTTP & HTTPS traffic. AppTrana, built bottom-up on AWS, is architected by keeping security & performance in mind.

The highly reliable & scalable architecture ensures that the machines auto-scale based on load, by safeguarding against any latency. There is no need for any additional infra deployments from the customer side.

#7) DDoS Protection: AppTrana ensures site availability through advanced DDOS protection. AppTrana provides 2 levels of DDOS protection.

•  Out-of-the-box rate control rules and captcha protection in case of suspected DDOS attacks.
•  Automatic alerts and custom rules are written by experts in case of sustained Layer 7 DDOS attacks based on the attack pattern to thwart more sophisticated attacks.

Also, Read => the List of the Top DDOS Attack Tools

#8) Speed Up Website Performance: AppTrana in partnership with Tata Communications provides an integrated CDN that helps to improve site performance. Tata Communications’ Whole Site Acceleration (WSA) technology delivers blazing fast speed and carrier-grade resilience that is required to ensure that content is always instantly accessible worldwide

AppTrana: Under the Hood

For the AppTrana review, we are going to onboard the site to a premium plan and walk you through the dashboard.

Getting Started

You can perform a hands-on test for your website or web application by creating a free trial AppTrana account here.

Since you have chosen a premium plan, there is no free trial and you will be asked to provide your Credit Card information or provide a license. If you want to check out the product first, then try the Advance plan which comes with a 14-day free trial. For completeness, we will proceed with the premium plan for this review.

The next step will be to provide the site that you want to protect, once you provide that, check with the configuration and ensure that it is accurate. CDN is enabled by default (actually it is a two-step process which will be explained later).

Next, the customer will be requested to provide their SSL certificate. This is required so that HTTP traffic can be decrypted and monitored for attacks.

Alternately, the customer can choose to use the Letsencrypt free certificate where AppTrana will automatically generate a certificate for the domain and the customer does not need to provide any certificate. Customers can also choose to buy an Entrust certificate from Indusface.

That’s it, you will now be asked to make a CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and thereby protection will start immediately. The best part is that there is no downtime during the entire onboarding.

Portal Review

Once the CNAME change is done, the site will be on-boarded into AppTrana SaaS Infrastructure. With this, the protection of the site gets started.

• Sites by default get on-boarded in block mode with Advanced Rules applied to the site. According to Indusface, these rules are fine-tuned to zero-false positivity by ensuring that there is no disruption to access to the site.
• Also, the Premium Rules are put in log mode and are monitored by security experts from Indusface. Based on the monitoring, the Indusface security experts make the necessary changes to the rules and customize them to meet the application’s needs. Later, within 14 days, the site will be moved to Premium Rules. This option is only available for Premium users.

Let’s look at the portal now. When you log in to the portal, it will land on the dashboard page. This is a clean, high-level summary page that gives you the details of the website configured, their status around vulnerabilities found, attacks seen, and if any action is required.

The User can select any site and drill down deeper to get more details. If you move to the Summary page, you will see additional details about the state of the website selected.

This page is essentially a single view that provides information on the current state of the site so the admin can look at this page and understand if any further action is required from their end and understand how the protection is working.

Understanding the Risk Profile

Now let’s take a look at the detection page, where the user can get the details of vulnerabilities found on the site. It provides detailed information on the kind of vulnerabilities found.

One can also find the protection/patch status of the vulnerabilities found. This page provides information like whether the vulnerability can be protected by Advance Rules, Premium Rules, or Custom Rules. If the vulnerability is protected by Custom Rules, then the user can request the same by clicking on the Request Custom Rules button.

The request has been sent to the Indusface team and security experts will write the rules for you. The premium plan comes with unlimited custom rules. The advance plan comes with 2 custom rules.

Users can also start an automated scan at any point from here any number of times. They can also request Manual Pen-Testing (PT). PT is done by security experts and they look for vulnerabilities that cannot be identified by automated scans.

PT scan requests go to the Indusface team and security experts reach out to the user to better understand the application before commencing the test. Generally, it is completed within 4 weeks from the request. This option is only available for Premium Subscription and is restricted to 1 scan a year. For additional scans, a separate license needs to be bought.

Users can also download a detailed report of the vulnerabilities found on the site. It provides complete details of the vulnerability found and the steps that can be taken to mitigate it.

Protection & Monitoring

As AppTrana is a completely managed solution, the protection & monitoring page is more of an analytics view which helps the users understand what is being protected, what kind of attacks are blocked, etc. In general, not much action is expected to be taken by users.

Users can view the details and then choose to blacklist/whitelist IP, country, or URI.

Apart from that, for any other tweaks or changes, AppTrana expects the users to reach out to their 24*7 support team and they make customized changes at the backend. Essentially a user is not expected to be an expert in security, and they offload the management of WAF from the customers.

The monitoring page provides information about the changes made by the security team for the site and the efficacy of the same.

Settings Page

The settings page provides an option for users to make any changes to the domain that they have onboarded for protection. They can change the forwarding address and change the plan to update the SSL certificate from here.

The WAF Settings tab provides some sleek options that can come in handy in case of any issues.

There are multiple states that WAF can be in.

• Log & Block: This is the default state and the rules will be in the block model.
• Log Mode: This can be used during any debugging stage. When WAF is moved to log mode all the rules will continue to monitor the traffic, but the action will be to log instead of blocking malicious requests. Comes in handy to debug any rules that are misbehaving.
• Disabled: This state essentially means that WAF is disabled and the traffic is passed through WAF.
• Bypass: This is an interesting option with AppTrana. This is essentially equivalent to a fail-open option that you see with on-premise vendors.

For now, please know that for protection to work, you need to make traffic pass through AppTrana Infra, and for effective protection of Origin, AppTrana recommends restricting access to the backend only from AppTrana’s IP.

Now if there are any unforeseen issues or if any change in the backend needs to be tested without WAF for some time, then the users would have to make a CNAME change and whitelist the external IPs which in any organization is a cumbersome process.

With the bypass feature, AppTrana has provided a nice workaround in bypass mode, the traffic does not go through WAF infra, but it just goes through a TCP proxy and reaches the backend from the same AppTrana’s IP by effectively working as it fails to open and comes in very handy during troubleshooting.

Website Acceleration

As mentioned before, CDN enablement is a 2-step process, once you have onboarded in WAF, the user looking for website acceleration should click the enable button for the CDN tab, at this point the Indusface team monitors the site and adds the required cache settings.

Once they have done the necessary settings, the customer can go ahead and update the Cache Status to ON to get the CDN enabled.

AppTrana Pricing

Customers have the option to select from any one of the below plans to start the AppTrana Journey.

• Basic Plan: Free for life. Get started by Identifying the Risk Posture of the site through AppTrana’s automated scanner.
• Advance Plan: At 99$/month with a 14-day free trial. Get started with immediate protection against vulnerabilities detected.
• Premium Plan: At 399$/month, you will get complete AppTrana Protection. Comes with 1 premium scan every 12 months and unlimited custom rules.

Conclusion

AppTrana is a complete application security solution which comes with free basic and other premium plans. They have ensured that effective application security is now available to the masses.

The management part is a bit comprehensive in terms of managing and customizing the rules to ensure that WAF works in block mode seamlessly.

If you are an SME or MSE who is looking for an application security solution that works, you can give it a try. Also, feel free to share your thoughts in the comments section given below! We look forward to hearing from you.