Vendor says new updates will help organizations better monitor and secure web applications without impacting performance. Credit: Getty Images Palo Alto Networks has announced updates to its Prisma Cloud platform with new out-of-band web application and API security (WAAS) features, along with new application visibility capabilities. The vendor said the updates are designed to help organizations monitor and secure web applications without impacting performance. The move comes as businesses continue to expand their use of cloud environments and face demands in managing the complexity of cloud migration, securing applications across their lifecycle, and preventing web application attacks.Prisma Cloud updates introduce “novel approach” to web application securityIn a press release, Palo Alto stated that the latest Prisma Cloud version offers a novel approach to securing web applications and cloud environments that combines both inline and out-of-band methods. Until now, a primary approach to securing web applications has been to deploy inline web application firewalls (WAFs), but some organizations are reluctant to introduce WAFs or API security solutions inline to protect business-critical or sensitive applications due to performance and scalability concerns, the vendor said.“By adding out-of-band WAAS to Prisma Cloud, we are empowering customers with flexible security options that fit their evolving application needs,” commented Ankur Shah, senior vice president, Prisma Cloud products, Palo Alto Networks. “As more organizations move workloads to the cloud, the capabilities that make up Prisma Cloud help provide simple yet comprehensive protection.” Deeper application visibility aims to address expanding attack surfacePalo Alto has also integrated new threat detection, asset inventory, and identity management capabilities to its platform to enhance application visibility. This is intended to address the expanding cloud infrastructure attack surface as application use rises, the company said. These features include: Multi-cloud graph view for cloud infrastructure entitlement management across AWS, Microsoft Azure, and Google Cloud for the discovery of over-privileged accounts and access risksDNS-based threat detection that leverages machine learning and advanced threat intelligence to identify bad actors hiding in DNS trafficMITRE ATT&CK alert prioritization to enable security teams to prioritize risks and incidents based on the widely adopted frameworkEffective web application monitoring and security critical for businessesWith reliance on web applications ever more pervasive among modern organizations, the ability to effectively monitor and secure them has become critical for businesses. “Web application attacks are the most common cause of breaches, according to Forrester’s research,” Forrester Principal Analyst Sandy Carielli tells CSO.“Attackers will pepper web applications with standard application attacks like the OWASP Top 10, and they will also attempt bot attacks that take advantage of legitimate business logic. APIs are also subject to a range of attacks that can lead to data leaks.” Omdia Principal Analyst Rik Turner concurs. “With COVID-19 having turbocharged digital transformation, orgs’ web applications have become more important than ever, whether for e-commerce, customer interactions, online teaching, or e-government. As such, they have become even juicier targets than they were before the pandemic. Monitoring and securing web applications has become a critical capability.” Tackling excessive web application privilege issues is particularly important because many privileges tend to persist even after people either leave a company or move onto another project and no longer require access to a certain asset, Turner adds. The out-of-band approach Palo Alto has introduced addresses another important element in the web application security equation as well, he says. “All out-of-band security is designed to minimize the impact of the security tool on the thing it is protecting, i.e., avoiding the additional latency that comes with inline platforms. That goes for web applications too, in that you don’t want to slow down communications between the web front end and any backend servers/applications/databases, so as not to negatively impact the customer experience (CX).”Security functions must have visibility of the flaws applications have so that dev teams can work to fix them and security teams can protect applications from exploits targeting them until the fix is available, Carielli says. “No application is perfect, and fixes, even for high-profile vulnerabilities, aren’t instantaneous. (They require development, testing, etc.). A good example is Log4j. While everyone worked to upgrade their applications’ Log4j libraries, production-side protections blocked attempted exploits.” Related content news analysis Biden delivers updated take on security for critical infrastructure Building on previous efforts, the Biden administration's new National Security Memorandum reflects a more modern approach to protecting US critical infrastructure, giving CISA a better-defined and expanded role as the agency coordinating everyth By Cynthia Brumfield May 02, 2024 7 mins Government Threat and Vulnerability Management Critical Infrastructure news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe