Pour prioriser efficacement vos efforts, vous devez d'abord comprendre vos applications - ses composantes clés
et ses domaines de vulnérabilité. Considérez les plates-formes sur lesquelles l'application réside ; les données
qui transitent entre un utilisateur et une application ; le DNS qui résout l'adresse IP pour accéder à l'application; les serveurs Web et d'application ; et les API associées qui sont utilisées par d'autres applications et systèmes.
F5 améliore de façon unique la stratégie de sécurité que votre entreprise souhaite adopter avec des solutions et des services de sécurité définis par des politiques et des contrôles robustes et simplifie la gestion efficace des facteurs de risque qui sont en constante évolution. « Si vous voulez protéger les outils qui pilotent votre business, cela signifie protéger les
applications qui les font fonctionner »
Karim ZGUIOUI - Systems Engineer North Africa - F5
9. The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
Data is the currency
Your Data has value
10. EXPANDING THREAT
SURFACE AREA
86%
of all cyber-threats
target applications and
application identities1*
APPLICATION
INVENTORY
0%
of customers can state
with confidence, the
number of applications
in their portfolio2
INADEQUATE
VISIBILITY
0%
of customers have the
visibility they need to
effectively manage their
application portfolio2
1F5 Labs Application Protection Report 2018
2F5 SOAS Report 2019
*Remaining 14% is physical attacks and “other” (including VPN, network, DNS and direct database and ATM attacks)
11. TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks
12.
13. Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Network
TLSCertificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
Cross-site scripting
Dictionary attacks
Access
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
App services
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
14.
15. DDoS Protection
TLS/SSL visibility &
Orchestration
Intelligent DNS
Web App and API
Protection
Access Management
Application Threats at Each Tier
Ensure your apps
are always up and
running, protected
against Multi-
vector DDoS
attacks
Go beyond visibility
with orchestration
of TLS/SSL
encrypted traffic
Secure your DNS
infrastructure
Enable secure
anytime, anywhere
access to apps
wherever they
reside
Protect against
application exploits and
fraud, deter unwanted
bots and other
automated threats, and
ensure appropriate
authentication and
authorization for APIs
16. Web App Attacks
are the #1 Source
of Data Breaches
2019 Verizon Data Breach Investigations Report
”Web Application Attacks remains the most prevalent”
“Use of stolen credentials against web applications was the dominant hacking tactic“
20. Reduce
Your Attack
Surface
2
Sub domains hosting
other versions of the main
application site
Dynamic web
page generators
HTTP headers
and cookies
Admin interfaces
Apps/files linked
to the app
Web service
methods
Helper apps
on client
(java, flash)
Server-side features such as
search
Web pages
and directories
Shells,
Perl/PHP
Data entry forms
Administrative and monitoring
stubs
and tools
Events of the
application—triggered
server-side code
Backend connections through
the server (injection)
APIs
Cookies/state tracking
mechanisms
Data/active content pools—the data
that populates and
drives pages
21. Prioritize Defenses
Based on risk
3
Focus OpEx &
CapEx spend
Security
value
Effort by
organisation
”if you focus on
results,
you will never change.
If you focus on
change,
you will get results.
23. The most important gap when deploying an
application …
Bot Protection API Protection SSL Orchestration Zero Trust Access
Security Orientations
Source: State Of Application Services Report, F5 Networks, Janvier 2019
Protection WAF
66% 2019 – 56% in 2015
Protection DDoS
67% 2019 – 53% in 2015
Security adoption is increasing
Fraud
69% 2019 – 41% in 2015
32% 32%
39%
43%
60%
2015 2016 2017 2018 2019
Security