Yesterday, we introduced an expansion of Barracuda Cloud Application Protection (CAP), Barracuda’s platform for web application and API protection (WAAP), to add powerful new automated API Discovery and GraphQL security capabilities, augment Account Takeover Protection capabilities, and enhance the client-side protection feature set.
To give you a closer look at what's new and how it can help you, we sat down to talk with Nitzan Miron, Vice President of Product Management, Application Security at Barracuda, to get his insights on the new version of Cloud Application Protection.
Q&A with VP Nitzan Miron
Nitzan, what's new with Barracuda Cloud Application Protection with this release?
To start with, Cloud Application Protection is Barracuda’s WAAP platform, and the idea behind it is that application security has become really complex with a lot of disparate solutions and a lot of threats that businesses need to be protected from. And with Barracuda Cloud Application Protection, we're trying to make it easy and create one platform that gives you everything you need to protect your applications in an easy-to-use package.
Earlier this year, we published our research into the new ABCs of Application Security – API Protection, Bot Protection and Client-Side Security. With this release, we’re introducing powerful new capabilities that address complex threats from each of these threat vectors. These new capabilities are also built to be easy to use and enable continuous security and compliance with security standards like the upcoming PCI-DSS.
In terms of API Protection, we are introducing API Discovery backed by machine learning (ML) and security for GraphQL-based APIs. For Bot Protection, we are introducing Privileged Account Protection, which uses machine learning to perform risk-based identification of account takeover attacks and new ML models to detect advanced bots. And for client-side security, we are providing more automation and visibility into the configurations required to secure applications against website supply chain attacks.
Can you go into some more detail about the API Discovery capabilities?
Sure thing. Barracuda Web Application Firewall and WAF-as-a-Service can now perform continuous, automatic API Discovery using machine learning. What this means in practice is that if an application uses an API, Web Application Firewall or WAF-as-a-Service can discover them directly without the use of manual configuration.
This capability greatly reduces the admin overheads of importing API specs and configuring protections, while allowing development teams to build and deploy secure APIs quickly. API Discovery removes the worry about undiscovered or shadow APIs used in applications that could result in API abuse or data breaches, improving compliance and security.
An example of shadow APIs causing havoc would be the OptinMonster WordPress plugin vulnerability. Over one million sites were impacted by this vulnerability because the API endpoints were not properly secured. A bigger problem was that admins were not aware that their sites had this API exposed in many cases — and this is a pattern we’ve seen often with WordPress and plugins. In this case, if the site were protected by our API discovery capabilities, it would have been discovered, protected, and surfaced to the admin.
Got it — can you talk about the other API Protection capability with GraphQL protection?
GraphQL is an open-source query language for APIs that is rapidly changing the way APIs are built and delivered. It speeds up development, and with an improved developer experience, a significant portion of applications are moving to GraphQL from plain REST APIs. While GraphQL enables creation of flexible APIs, it involves complex configurations that may expose the applications to various security vulnerabilities, such as, DDoS attacks, injection attacks, introspection queries (which can expose sensitive data), or other malicious queries.
With this new release, we’ve added native parsing of GraphQL requests and enforcing of security checks to protect against these attacks. GraphQL is being widely adopted for new applications everywhere, and these capabilities will help prevent these applications from being vulnerable right from the get-go.
Let’s talk about the B of ABC — what are our new Bot Protection capabilities?
So, with bot attacks, one of the most common, critical attacks is account takeover. Web applications and APIs are constantly under the threat of account takeover attacks. Account takeover attacks are commonly used by cybercriminals to steal the user accounts of legitimate users, both personal and business accounts, by using stolen credentials from data breaches. Once these accounts are stolen, the malicious actors can use the accounts to transfer money, use stored funds, credit cards, gift cards, and loyalty points, push ransomware, steal data and perform other cyberattacks, including in other bot campaigns like scalping and web scraping.
With this release, Barracuda Cloud Application Protection adds an evolutionary upgrade to the existing ATO capabilities — Privileged Account Protection (PAP). Backed by a machine learning layer, PAP learns the login patterns of configured login accounts and identifies the riskiness of logins. When a risky login is identified by the machine learning models, PAP can alert the admin and perform preconfigured actions to prevent account takeover attacks.
This feature is also important when it comes to PCI-DSS compliance. The new PCI-DSS 4.0 standards have a fair bit around login protections based on risk scores, where PAP fits in quite well. Look out for more information on that from us very soon!
We’ve also added new machine learning models for detecting advanced bots and new feedback loop capabilities the Advanced Threat Intelligence dashboard for Bot Protection.
Got it, and the C? New Client-Side Protection capabilities?
Client-side attacks have grown greatly in prominence, and skimmers from the likes of the Magecart group have been causing severe damage to websites over the past few years. In this release, Barracuda Cloud Application Protection’s Client-Side Protection has added improved controls over the configuration and visualization of Content-Security Policies and Sub-Resource Integrity settings. The Application Dashboard now supports actions with one-click suggestions for fixing CSP violations and adds new visualizations and controls to make it easier for admins to setup and maintain their protections.
So in practice, what this means for admins is that we take out a lot of the hard work in setting up and maintaining their CSP and SRI configurations — and this alone is a big relief. The visualization and one-click remediation settings add another layer of ease of use that we will continue improving as we go along to make it even easier for admins to setup and manage these complex settings.
Is there anything else you want to mention that we haven’t covered?
Yes! The new technology integration of Barracuda Web Application Firewall and Venafi Trust Protection Platform offers a fully featured, unified solution that enables the secure, centralized, and automated management of certificates and keys across Barracuda Web Application Firewall. This integration adds security to the managed machine identities and eliminates the anxiety and risk associated with certificate-related downtime and risks. Customers using Barracuda and Venafi can now directly visit the Venafi Marketplace to try this integration out.
Protect your apps with one simple platform.
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda. Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation. Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.