{"id":630,"date":"2015-10-01T16:29:15","date_gmt":"2015-10-01T16:29:15","guid":{"rendered":"\/?p=630"},"modified":"2015-10-01T16:29:15","modified_gmt":"2015-10-01T16:29:15","slug":"brains-vs-brawn-cracking-the-seventh-layer","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/brains-vs-brawn-cracking-the-seventh-layer\/","title":{"rendered":"Brains vs. Brawn \u2013 Cracking the Seventh Layer"},"content":{"rendered":"

Author:<\/em> Rishi Agarwal, Chief Evangelist, NSFOCUS<\/em><\/p>\n

When the news reports on DDoS attacks, it is generally referring to large-scale network attacks that are focused on Layer 3 and 4 of the network stack. However, from a mitigation point of view, network layer attacks are not sophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?<\/p>\n

On the other hand, the application\/Layer 7 attack is a completely different animal. When defending against these stealthy and complex methods, success does not depend on how big you are, but rather how smart your security technology is and how well it can be utilized.<\/p>\n

The Invisible Attack<\/strong><\/p>\n

Successful mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic \u2013 to distinguish between humans, human-like bots and hijacked Web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that\u2014if done right\u2014the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.<\/p>\n

While network attacks over-exercise specific functions or features of a website with the intention of disabling them, an application-layer attack is different because many vulnerabilities that exist in the proprietary code of Web applications are unknown to existing security defense solutions.<\/p>\n

The Cloud and pervasive cloud-based platforms that are becoming the new normal in application development have increased the attack surface for many organizations. In order to defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the development phase of the application itself.<\/p>\n

To assist in defending against Web threats, the Open Web Application Security Project (OWASP) was created. It releases some of the most critical risks facing organizations in its \u201cTop Ten Most Critical Web Application Security Risks<\/a>.\u201d<\/p>\n

While the report outlines ten of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more sophisticated attack methods are being perpetrated at an alarming rate. Until developer\u2019s ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network upon ingress.<\/p>\n

Best Practices to Protect Critical Applications.<\/strong><\/p>\n

If you are a software developer or cyber security professional it is vital that the following best practices be followed, at a minimum.<\/p>\n