Alert Logic Full Stack Security: Protecting App Frameworks

This is a continuation of my blog series on Alert Logic’s full stack security approach to protecting your web applications in the cloud. This week, I’m going to discuss how Alert Logic protects your app frameworks.

Content management systems (CMS) such as Joomla, Drupal and WordPress are some of the most popular app frameworks in use today. WordPress is by far the most widely deployed CMS—running on 29 percent of the world’s websites. Let’s take a look at how Cloud Insight, Alert Logic’s cloud-native configuration and vulnerability management solution, can be used in conjunction with the AWS WAF (web application firewall) as well as Alert Logic’s external network vulnerability scanning capabilities to provide 360 degrees of security coverage for your WordPress deployment.

I recently spun up a few AWS EC2 instances and installed WordPress on them. These are free-tier eligible standalone t2.micro instances I will be using for test purposes. Cloud Insight Essentials auto-discovers your cloud resources, helps to locate any configuration exposures you may have in your AWS environment and provides incident response for Amazon GuardDuty should your WordPress deployment ever come under attack. Cloud Insight Essentials can be upgraded to a standard Cloud Insight deployment—which provides pre-authorized scanning for 100,000+ third-party vulnerabilities that could be hidden within your application stack. AWS free-tier coupled with Alert Logic’s free trial of Cloud Insight Essentials gives you a great opportunity to kick the tires with no risk or upfront commitment. When you’re ready to run live traffic, have a look at AWS’s great documentation on building out a production-ready WordPress site.

Internal Vulnerability Scanning

Alert Logic Cloud Insight is a cloud-native vulnerability and configuration management solution designed to help you protect the business applications you run on Amazon Web Services. There are no agents to install and Cloud Insight is tightly integrated with all available AWS APIs, allowing for auto-discovery of new instances and to check for system misconfigurations.

Within minutes of bringing up my instances, Cloud Insight has detected a change to my deployment topology and placed the servers into its scanning queue. Under normal circumstances, instances in your topology will be scanned at least once every 24 hours. Cloud Insight allows you to optionally use credentials to perform host-level authenticated scanning. Using Windows or SSH credentials as part of your scans allows for more accurate vulnerability scans and lowers the number of false positive results. For best practices and additional documentation on our scanning capabilities please visit Get Started with Alert Logic Scans.

Internal vulnerability scanning is a critical component of an effective security posture. Cloud environments are dynamic in nature and require ongoing security checks to mitigate risk and limit security exposures. Alert Logic provides over 300 scan checks for WordPress. These scans are a collection of well-documented common vulnerabilities and exposures (CVEs) known to impact WordPress. They can identify vulnerabilities such as cross-site scripting (CSS), SQL injection, and side-channel attack opportunities in your WordPress deployment, should it be left unpatched or misconfigured. Cloud Insight is automatically authorized to scan your AWS assets, so no additional authorization is required. Additionally, Cloud Insight does not require an agent to be installed on your WordPress instances.

Once an instance has been scanned, you’ll see all pertinent host information, such as name, public and private IPs, security group, image ID and state. If the system detects any vulnerabilities on your WordPress host, you can find those under the Remediations tab. From here, you can search for and filter on vulnerabilities that require remediation, ranked by high, medium, low and informational. My hosts are in the same security group, so I’ll use that to filter my remediations.

If I click on the details of the first one, I can see that the system has detected that my hosts are running older versions of WordPress with known security vulnerabilities. Wordpress recently published an updated security and maintenance release, so Cloud Insight is recommending I upgrade my hosts to the most recent version.

Alternatively, Cloud Insight offers a rich API in the event that you prefer to manage the security of your assets programmatically. Here I’ve pulled the details of a specific remediation from one of my WordPress hosts.

Another important factor to consider is that you can inherit vulnerabilities from your underlying applications and infrastructure. Here we can see that Cloud Insight detected that the Apache web server that I am using to serve up my WordPress pages is also susceptible to attack due to a well-known OptionsBleed vulnerability. This particular attack could expose process memory data to would-be attackers.

My WordPress application and Apache web server present the most obvious entry points for public attacks, but it’s important to consider that attacks could come from anywhere in your application stack or underlying infrastructure due to vulnerabilities in code and misconfigured infrastructure. Going back to our second screenshot, we can see that Cloud Insight has also outlined actions to eliminate single points of failure in my application by recommending the deployment of an Elastic Load Balancer and/or Auto Scaling Group. Additionally, it has recommended that I disable unnecessary software and also provides further guidance on tightening up loosely-configured security.

It’s a full stack approach to getting your WordPress deployment in line with AWS Security Best Practices. If you’re new to AWS, or cloud in general, be sure to check out the AWS Shared Responsibility Model. The main takeaway here is that securing workloads in the cloud is a shared responsibility between you, the customer, and your cloud service provider. The cloud service provider is responsible for the security of the underlying infrastructure of the cloud itself, and you are ultimately responsible for protecting the web applications—such as WordPress—that you deploy into the cloud.

AWS WAF + Alert Logic Virtual Patching for WordPress

AWS WAF is a web application firewall designed to protect web applications running in AWS from common Internet threats such as SQL injection, malicious bots and cross-site scripting. AWS WAF can be configured to allow, block or monitor web traffic based on custom user-configurable rulesets. At re:Invent 2017, AWS announced availability of Managed Rules for AWS WAF. Alert Logic was one of the first AWS partners to provide a managed ruleset for AWS WAF with its release of Virtual Patches for WordPress for AWS WAF.This collection of virtual patches for WordPress is continuously updated and curated by Alert Logic’s expert staff of security researchers. Alert Logic’s virtual patches are available through the AWS Marketplace as a subscription-based service and provide a low-cost, quick and easy way to secure your WordPress application. These rules work in conjunction with your existing WAF rules and protect your application from a rolling six months of known WordPress exploits. You can manage your Alert Logic managed rule subscription directly from the AWS WAF console and cancel at any time.

External Vulnerability Scanning

If you operate in a regulated industry and require external vulnerability scanning, such as for PCI compliance, rest assured that Alert Logic is a PCI approved scanning vendor and has over 450 intrusion detection system (IDS) signatures for WordPress. Cloud Insight delivers internal vulnerability scanning functionality as required by PCI DSS requirement 11.2.1. External scanning can also be used as a mechanism to validate that your WAF rules are providing the proper protection for your web application.

Summary

These are just a few examples of how Alert Logic’s full suite of security technologies can help protect your WordPress application framework using a full stack approach to security. In a perfect scenario all WordPress web apps would be built as outlined in this AWS WordPress reference architecture with all components in a dedicated VPC, isolated public and private subnets, running the latest software versions, and all in redundant and auto-scaling configurations in order to keep it safe and secure. However, unless we’re building completely greenfield, we don’t always have that luxury. In addition, there are new security threats emerging daily.

If you’re running WordPress in AWS, consider a full stack security approach with Alert Logic Cloud Insight protecting you from inherited and platform vulnerabilities coupled with Virtual Patches for WordPress for AWS WAF for layer 7 application protection for total piece of mind. That’s full stack security.

Check out the complete series on full stack security:

About the Author

Jose Malacara - Senior Manager Cloud Security Practice

Jose Malacara

Jose is a Senior Manager in the Alert Logic Cloud Security Practice. He is an AWS Certified Solutions Architect and has over 18 years of broad technology experience, drawing on his many years working in various product management, sales and network engineering roles building and supporting cloud applications for companies like FATHOM, Rackspace and ANX. Jose received his MBA from Concordia University in 2012 and holds an undergraduate degree in Geography from the University of Texas at Austin.

Email Me | More Posts by Jose Malacara