Web Security Threats - SQL Injection - Cross Site Scripting - Cross Site Request Forgery Web Application Security Devices - Network security devices that can protect against these attacks - web security gateways - web application firewalls - Dedicated, special purpose firewalls that can do deep inspection of web requests Web application Firewall Inspection - WAP sits in front of one or more web servers and intercepts requests - Looks for: - Telltale signs of malicious activity - compliance with web application firewall rules Host based application firewalls - in addition to hardware devices, WAFs can also be implemented in software on the server - similar actions, but only protect a single server Cloud-based web application Firewalls - Run by a third-party provider 'in the cloud' - DNS change routes all web traffic to the cloud provider - provider performs filtering service and routers acceptable packets back to the web server - allows economies of scale and reduces maintenance requirements