Hello, and welcome back. Let's now look at application and data security, starting with application security, specifically, we're going to talk about Alibaba Cloud's web application firewall. So before we look at web application firewall itself, let's take a look at some of the attacks that it's designed to defend against. So one of the most common attack types is the webshell. This is where an adversary takes advantage of a existing vulnerability in some application that's running on your web server, maybe to bypass authentication, or maybe they'll use SQL injection or cross-site scripting, but somehow they've managed to gain access to your web server in a way that allows them to insert an executable file such as a PHP file. They can then visit the URL of that file on your web server, and it will execute giving them remote access to the web server itself, possibly with elevated permissions. That's what you see in the diagram on the slide.

Here the attacker is exploiting a vulnerability to insert the webshell code, maybe a PHP file. And then they're connecting to that remote webshell and executing commands using some type of a client like the popular Cknife Java Client, which is essentially designed for taking advantage of webshells. So in general, when we're talking about threats from the network, there are three types of attacks, there are DDoS attacks, which we talked about earlier when we brought up anti-DDoS, application attacks, and then targeted attacks.

So DDoS attacks are the easiest to carry out, they require very little knowledge of your target. You just need to know the IP address you want to launch the attack against, and you need to have sufficient resources to overwhelm the target with traffic. Application attacks require more knowledge of the target. So if you're an attacker and you want to carry out an application attack, you need to know what software is running on the server you want to attack, you need to know what types of attacks it would be vulnerable to. But again, there are lots of toolkits if you're an attacker that can help you get that information and launch some types of attacks in a fully automated way. Web application firewall is primarily designed to help you deal with this middle box here, this middle circle in yellow, application attacks. And then on the far right just for completeness, we include targeted attacks, these are attacks where the attacker actually spends real time and effort to perform reconnaissance and to learn about you specifically or your system specifically, so as to carry out a more effective attack. This would include social engineering.

So, maybe calling your company to learn who works there and try to get people to give up access credentials by impersonating your IT department, or maybe a reverse-engineering attack where the attacker has access to a copy of software that's running on your servers and is able to reverse-engineer that software, looking for flaws that they can exploit. Targeted attacks are the most expensive for the attacker, but they're also the hardest to defend against.

So in this part of the course, we'll focus only on application attacks. So there's multiple types of injection attacks, there's HTML injection, SQL injection, Xpath injection, LDAP injection, and then other things like cross-site scripting. In most cases, the goal is the same. You're trying to get the web server to store and potentially execute code that it should not. That's the general idea. We have other security classes where we go into more detail about that, in this class, we're only going to discuss how WAF defends against these attacks, we won't go into detail about how the attacks work.

So what is WAF? WAF is a web application firewall that uses a set of rules to filter and monitor HTTP and HTTPS traffic between web applications and the internet. WAF is a layer-7 defense system, so it operates at the application layer. But that means it's not suitable for defending against say a SYN flood, that's a layer-4 attack, that's something you'd use anti-DDoS to defend against, but it is very good at defending against multiple different types of application layer attacks, and can even be used to detect bots and scrapers, which might not technically count as an attack but can have an adverse impact on your website. And of course, just like anti-DDoS, Alibaba Cloud WAF is a web service that can be placed in front of any public web origin.

So your web server doesn't need to be hosted on Alibaba Cloud in order for you to use WAF, your web server could live somewhere else, say AWS or Google Cloud, and you'd still be able to put Alibaba Cloud WAF in front of it. Similarly, WAF can be put behind other vendors, CDN or DDoS tools if you want. So it's a very flexible tool. Alibaba Cloud has been working on WAF and using it in production now for more than 10 years. So we've built in quite a lot of features, it has human-machine identification, specific anti-bot features that can detect bots and scrapers, accurate access blocking based on IP address blacklists and on heuristics, a zero-day vulnerability hotfixes that can protect you against brand new threats that don't have a patch yet, and threat intelligence that's based on all of the attack data that we collect every day. And then my favorite data breach protection, which can actually anonymize data that's being passed back out from your web application.

So WAF can monitor both inbound and outbound traffic. And if an attack does somehow make it through WAF, when the attack data is returned or when the data's returned from your web application to the attacker, WAF can actually detect certain patterns like ID numbers or phone numbers, and anonymize them by replacing a portion of the ID or phone number with stars, with asterisks. So it can actually keep the attacker from getting at the information they wanted in the first place. Attack vectors addressed by WAF include SQL injection, cross-site scripting, scanners and probes, attackers with known origins, we block those using IP reputation lists and also most types of bots and scrapers that are designed to interact with your site or application in an automated way, say to take advantage of a coupon or offer, or to attack your site in some other way.

So in practice, WAF's malicious traffic mitigation looks something like this. You have legitimate traffic and attack traffic coming in from the internet together. Those all get sent to WAF together, and then WAF has to use both a threat intelligence model and IP reputation data, as well as human rules written by an expert, you can add that if you like, to identify the threat traffic and drop it. So, in the end what reaches your backend, what reaches your web server or web application is only the legitimate traffic.

Alright, so that's all for application security, let's now turn our attention to data security and that's security, both for data in transit and at rest. And then I'll talk a little bit about legal and compliance, I'll talk about content moderations, how do you deal with user generated content? Let's start by talking about our SSL certificate service, which is designed for encrypting and protecting data in transit. So before we talk about our SSL certificate service, we need to give a little bit of background information on SSL and on web access in general.

So, when you visit a website like google.com, you are using the HTTP protocol, that's the protocol that your computer or your browser uses to communicate with Google. And this is a common application layer protocol on the internet, this is probably the most common protocol in use on the internet today. The problem is it doesn't include built-in encryption and that's what SSL does. SSL, Secure Sockets Layer provides a public key encryption technology that can work with HTTP to encrypt HTTP traffic. And actually, I should say modern implementations of this encryption are called TLS not SSL, but you'll still see SSL talked about frequently in documentation and in conversations online.

So what is HTTPS, HTTPS is just encrypted HTTP, so it's HTTP plus SSL. Most modern websites use HTTPS now, it's quite rare to visit a website that doesn't use HTTPS. So what is an SSL or a TLS certificate? This is essentially a document that you put on your web server that is used to encrypt the communications between your web server and your end user's web browser or application. And the SSL cert contains two things one, it contains a copy of your public key. This is the key that you'll send to the web browser on the customer's end or the client's end, to encrypt communications with your web server. But it also contains a cryptographic signature from a third party, verifying that you really are the owner of xyz.com or mysite.com.

So how does it get signed? Well, what you do is you create a CSR, a certificate signing request that includes details about your website and also your public key. You give that to the CA, the certificate authority, they verify the details, and then they issue you with an SSL cert, which is a document that contains both your public key and a cryptographic signature from the CA, that validates you as the owner of xyz.com or my site.com. Modern web browsers like Chrome will only trust websites that have an SSL certificate that's signed by a valid CA. So it's very important to have a signed SSL certificate.

If you're doing something as an experiment or locally just for testing, you can create what's called a self-signed certificate, but if you use that in production on a website, your users will get a big red warning that says this site is untrusted. So it's always a good idea in production to use a certificate that's been signed by a known valid certificate authority. So the SSL certificate service actually automates this process. So it allows you to purchase a certificate directly through the SSL certificate console. And then it goes through the process of validation and signing for you with one of Alibaba's CA partners.

Once you have a valid SSL cert that you've bought through the service, you can one-click deploy it onto WAF, onto CDN, onto anti-DDoS, onto ECS, onto Server Load Balancing, anywhere you want, and it even gives you the option if you need to, to revoke a certificate. If a certificate has been stolen or compromised, obviously you need to revoke it to keep it from fooling your users. So there's an option to revoke certificates through the SSL certificate console as well. Again, you can use it to deploy HTTPS over many other Alibaba Cloud products including anti-DDoS, WAF, load balancers, CDN, OSS, and even the RDS database service. So all of these services can be protected by the SSL certificate service. Let's now move on to key management service.

So KMS is also an encryption service focused on managing encryption keys, so with KMS, you no longer have to spend time to protect the confidentiality, integrity, and availability of your keys, KMS does this for you. It integrates very easily with other services like RDS and Object Storage Service, and allows you to perform encryption at rest for ECS disks, for OSS buckets, and for data in the RDS databases. It's an envelope encryption technology, so you can actually use KMS to store and encrypt other keys.

Essentially, if you want, you can use it in a scenario like this here, where you're protecting your HTTPS certificate from being stolen. So what you would do is you'd create a master key in KMS, you would encrypt your HTTPS certificate so your SSL certificate, and then you'd only decrypt that certificate when you needed to serve a web request. So you could actually use KMS as a way to achieve additional security on top of your SSL certificate, by keeping that certificate locked away in KMS and safe from tampering or replacement.

Another place where you could use KMS would be for local encryption and decryption of data. So you'd create a master key in KMS, then you generate a key that you'll use to encrypt and decrypt data stored on a ECS instance disk say, and then what you can do is actually store that data encryption key, the encryption key for encrypting and decrypting data on your disk alongside the encrypted backup, and that's safe to do because you've encrypted that data encryption key with your KMS master key.

Later when you need to decrypt the data, you take that encrypted data encryption key, pass it to KMS, get it decrypted, and then use it to decrypt the data from your backup. So it's a good way to protect other encryption keys, that's the primary use case for KMS. So let's now move in an entirely different direction and look at content moderation. So this has nothing to do with data security, it has more to do with business and platform security.

If you're in the business of providing a platform that allows users to upload their own content, then you'll probably have to do some type of filtering, you'll want to eliminate advertising violence, other inappropriate content, maybe pornography. You might want to keep these things off of your platform. And in order to do that, you need some kind of an automated filtering tool, and that's what content moderation does, it provides an API that you can pass images, video, text, and audio to, and then it will analyze that content to see if there's anything that matches a set of filter criteria. If it finds something that matches those criteria, it can either pass the content to a human for second stage review or directly reject the content.

So this is a way to cut down on the amount of moderation, human moderation that you have to do on your platform. So it can also do site inspection, so the service can be set up to regularly check a public-facing website for inappropriate content, and can let you know via email if it finds any. It can also do this for OSS buckets, so it can check the content of OSS buckets for you. And there's again the content moderation API, which you can build into a web service. So if you're trying to detect violent, terroristic, pornographic, or ad-based content and keep it off your platform, you can use the content moderation API to help you achieve that by simply building this API service into your website.

So anytime a user uploads, texts, or images, or video, you can pass that to the API and have it make a judgment about whether or not the content is appropriate. And that's all for this section, in the next section, we'll have a quick recap.