History of success. Implementation of the Webmonitorex platform to protect SberAuto applications

Why is it important?

In light of the constantly changing landscape of cyber threats, SberAvto was faced with the need to effectively and quickly respond to the emergence of new vulnerabilities and methods of exploitation. Especially in terms of protecting web applications, since The basis of the company's business is its website.

The company's infrastructure is built on the basis of microservices interacting with each other via APIs; therefore, the importance of ensuring observability of all APIs and monitoring their changes has greatly increased.

To service each web application instance, SberAuto uses a clustered pair of web servers Nginx, which perform the functions of load balancing, request routing, and processing HTTP requests from clients. Therefore, when choosing an application layer firewall (WAF), it was important to ensure continuous integration with the existing infrastructure based on Nginx.

To protect the infrastructure, platform modules from Webmonitorex were integrated into internal processes related not only to the protection of applications and services, but also to secure development, maintenance and dynamic testing.

Flexibility in choosing options for installing a WAF node both on load balancers and in a container next to a specific application provided the ability to protect services located within the infrastructure. Deployment available using playbook Ansible or Terraformwhich significantly simplifies the installation and maintenance process.

The Webmonitorex platform has great capabilities for providing observability and API protection. In particular, to monitor the API, build OAS and monitor API changes, the “API Structure” module was used (Fig. 1), more details about this module can be read in our documentation.

A module was used to detect token leaks API Leaks, and to identify externally accessible vulnerabilities, a scanner is used, which is also part of the WebMonitorex platform. Vulnerabilities here are also detected from application traffic based on the results of analytics generated by the product. You can read more about this in our documentation. A firewall (WAF) and API Firewall.

As a result, the product from Webmonitorex provided a flexible and effective solution to the needs of SberAvto in protecting its core business, without changing the existing application publishing infrastructure and its support processes.

Product selection conditions

Compatible with existing infrastructure. The selected product had to satisfy three main approaches:

  1. Working with mobile applications, including WebSocket processing.

  2. Working with API. Here it was important to provide.

  • learning and understanding APIs;

  • understanding of what is transmitted in routes;

  • identifying compromised tokens and creating rules for blocking them;

  • combating automation and IDOR attacks;

  • integration to enrich other processes' API data.

  1. Installation flexibility and cloud native. The right firewall must be seamlessly compatible with cloud infrastructure, including microservices. Requires the ability to deploy in a variety of ways, including using a playbook Ansible or Terraformwhich significantly simplifies the installation and maintenance process.

The Webmonitorex platform fully satisfies these conditions, and therefore was recognized as the best solution. It is important to note the possibility of using it within the framework of the “Infrastructure as code” approach (IaS, Infrastructure as code). Details about deployment options are described in our documentation.

Using the product in a secure development process. The product must be integrated into the process of secure application development and delivery.

Technical support. As part of technical support, Webmonitorex provides round-the-clock (24/7) information and consulting services necessary for setting up and operating its products.

Why did you choose our solution?

Ensuring the security of mobile and web applications. The choice of the Webmonitorex platform was due to its wide functionality in this area and, most importantly, the ability to check WebSocet.

Ensuring API security. Our API Structure solution can analyze API traffic, including between microservices, providing visibility into the entire API structure and understanding of what types of data are transferred in specific routes. Another platform module – API Leaks, allows you to identify compromised tokens in routes. If there is information about a token leak, then such a token is entered into API Leaks in order to monitor API requests with this token for further creation of WAF rules to block them.

Integration with other processes for enrichment. The platform's query processing capabilities and the availability of a public API made it possible to use the data collected by the filter node to enrich other solutions. This made it possible to introduce categorization of routes according to the degree of criticality and, in the future, create WAF rules for the most critical routes, as well as apply a positive or negative model for working with traffic.

You can read about positive and negative models, and not only about them, in our articles at the links: https://habr.com/ru/companies/webmonitorx/articles/781852/ And https://habr.com/ru/companies/webmonitorx/articles/766548/

Integration into the secure development process. The data on the API structure that will be collected by the new platform was supposed to be used in the process of secure development and maintenance of the company's main applications. To do this, the information collected by the API Structure module is sent to ASOC for continuous monitoring of API changes. If an unsafe route or endpoint is detected, it is tested (DAST), and if necessary, blocked using API Firewall, which is part of the Webmonitorex platform modules. The process is illustrated in Fig. 2.

Fig.2 Integration into the secure development process

Fig.2 Integration into the secure development process

Compatible with cloud infrastructure. Our platform is flexible in terms of installation. It integrates with solutions such as Nginx, Nginx Plus and Kubernetes Ingress, which simplifies deployment and ensures compatibility with existing infrastructure, including microservices. The presented implementation allows delivery in various forms, including the use of playbook Ansible or Terraform You can learn more about this from our documentation.

Rice. 3. Operation scheme

Rice. 3. Operation scheme

New level of protection. Our solution provides a new level of protection, including protection against the attacks described in OWASP Top 10behavioral attacks and zero-day attacks (functionality functionality of active attack verification, you can read more in detail Here).

Intelligent approach and low false positive rate. Our solution uses intelligent traffic and attack analysis techniques to provide high accuracy and low false positives without the need for manual intervention.

CI/CD process support. Our solution is ready to interact with CI/CD platforms in terms of transferring information via API, which ensures that security rules are updated along with the application. This ensures continuous protection and rapid response to new threats.

Final result and benefits:

As a result of the implementation of the Webmonitorex platform, as part of the firewall (WAF), modules “API Structure”, API Leaks And API Firewall The following results were achieved.

  1. The minimum number of specialists required to support decisions. A total of two specialists are required, one AppSec and one DevOps.

  2. Minimum time spent by specialists to support the solution. Specialists spend only 20% of their working time protecting infrastructure consisting of:

  • five APIs (three public and two internal);

  • one integration API;

  • five web applications;

  • three mobile applications.

  1. The frequency of changes for all APIs is once every two weeks.

We invite you to a webinar on May 16 at 12:00 (Moscow time) on the topic “API Management. Implementation case on the Webmonitorex platform.”

What we will talk about at the webinar:

  • What to pay attention to when securing APIs in today's environment.

  • Changes in infrastructure. What's next?

  • API protection and management. Why is it important.

  • API protection approaches. From maturity to efficiency: Know. Protect. To not allow.

  • Implementation on the Webmonitorex platform: components for protecting and managing the API.

Special guest – Kirill Ilyin, CISO SberAuto. Will honestly and openly talk about the tasks, practices and results of API protection in his company.

Register by link.

Help about CI/CD (Continuous Integration/Continuous Deployment)

What is CI/CD:

CI/CD (Continuous Integration/Continuous Deployment) is a software development practice that involves automating the process of integration (CI) and continuous deployment (CD) of code into a production environment. CI provides automatic integration of code from different sources, testing it and creating a compiled version whenever the code is changed. CD automates the process of delivering an application to production after successful completion of CI.

Why is this necessary:

CI/CD is designed to speed up and simplify the process of software development and delivery. This allows:

  • Reduce the time between writing code and releasing it to production.

  • Improve code quality as every change goes through automated tests.

  • Reduce risks associated with manual processes.

  • Improve collaboration between development and support teams.

Connection with microservices:

CI/CD is an essential component for the successful implementation of microservice architecture. Microservices are typically a collection of small and independent services, and CI/CD allows you to manage their continuous deployment and integration. This allows you to speed up these processes.

Connection with DevOps and DevSecOps:

DevOps is the culture and practice of combining Development and Operations to automate and accelerate the process of developing, deploying, and managing applications. CI/CD is a key part of DevOps because it automates and simplifies application deployment and management.

DevSecOps is an extension of DevOps that includes Security. DevSecOps strives to integrate security right from the start of application development and implementation. CI/CD allows you to automate security testing and integrate security into the development and delivery process.

Don't forget to subscribe to our Telegram channelto keep up to date with all the news and announcements.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *