The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for providing adaptive rule loading and session control for securing network delivered services.
Many organizations are facing unprecedented challenges in ensuring that their websites are secure and perform well. With the growing trend to deliver software as a service (SaaS), attackers are having more motivation to penetrate such websites to steal valuable business information. A SaaS provider hosts several SaaS applications, including competing customers' applications, and these applications sometimes share the same resources, such as databases or file systems. Thus, there is a potential for malicious attacks, or attempts to steal information, such as from client computing devices targeting particular service provider applications, or even from one service provider application to another service provider application. Moreover, there is a potential for even unintentional accessing of sensitive information from a service provider application, such as a request from a client computing device unintentionally access information for a different service provider application than was intended due to the shared resources of the provider.
There are a number of ways in which security of SaaS providers, and other service providers, may be breached either intentionally or unintentionally. For example, a malicious party may use cross-site scripting. Structured Query Language (SQL) injection, cross site request forgery, or the like. Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Often during an XSS attack everything looks fine to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input contains SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Cross site request forgery (CSRF), also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. CSRF is a form of confused deputy attack in which an attacker confuses or tricks an end user to load a page that contains a malicious request. The malicious request inherits the identity and privileges of the end user to perform an undesired function on the user's behalf, such as accessing bank accounts. CSRF attacks generally target functions that cause a state change on the server (such as money transfer) or to access sensitive data (such as stealing an end user's personal information).
Because of these, and many other types of attacks on websites, that can potentially damage websites, website providers and web service providers are adding more and more sophisticated defense mechanisms to protect their assets, e.g., more and more filters that filter malicious inputs. However, adding more defense mechanisms often negatively impacts the performance of the websites hosting the SaaS applications. That is, more processing of inputs and outputs is necessary as each layer of security is added which in turn causes a reduction in the throughput and responsiveness of the provider and, ultimately, the websites and web services hosted by the provider.