Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX

Critical infrastructure such as financial services, energy, and healthcare companies are constantly under attack. To stop these types of threats, the federal government recommends adopting Zero Trust; unfortunately, 80% of critical infrastructure organizations in the United States don't. 

I had the opportunity to speak in a webinar with F5 NGINX, where we discussed how to best secure critical applications that utilize F5 NGINX using the shared responsibility model. We dug deep into the network stack to learn how OPSWAT’s Certified Module for F5 NGINX Plus—a plug-and-play, zero-trust security solution—combats file upload threats. 

Risks and Challenges in Application Security

Malicious files are a popular method for breaching cyber defenses. In 2022, Trend Micro reported over 22 billion attempts utilizing malicious files to infect systems. The rise of increasingly evasive malware increases these risks. One study found that 98% of malware uses at least one evasive technique.

Organizations are aware of these risks. OPSWAT surveyed 300 different organizations asking about their web application security concerns. Over 90% were worried about loss in revenue, while reputational damage and the inability to provide services rounded out the top three. These concerns were similar across industries and locations. Preventing these risks requires a zero-trust file upload solution.

Application Security Blind Spots

While aware of the harm insecure applications pose, many organizations are unaware of how to best protect against common threats. In the same survey, we identified three common blind spots in organizations’ web application security stack: not scanning all file uploads to prevent malicious files, scanning incoming files with only one antivirus engine, and not sanitizing file uploads to prevent unknown malware and zero-day attacks.

Malicious files are often the first step toward breaching a network. The consequence of failing to scan files with multiple anti-malware engines and sanitize file uploads has serious consequences and dramatically increases the chances of a breach.

Shared Responsibility: A Separation of Security Concerns

If your application uses technology like F5 NGINX—or any network devices such as load balancers, web application firewalls, reverse and forward proxies, etc.—you may be unaware of your role in securing applications. These network devices take care of the network security responsibilities like network access management, security policy management, regulatory compliance storage, and container security.

The division of security responsibilities is intentional. Sharing responsibilities strengthens your security posture. Essentially, stick to what you know best. For network security, your best bet is to leave it to F5 NGINX. However, finding a solution for malicious file uploads is your responsibility. For example, OPSWAT specializes in file upload security, content scanning for malware, and customer data protection. Our technology platform, MetaDefender, is designed to prevent malicious files from entering your network.

Another common concern is compliance. If you allow users' data into your systems, there are a host of application security compliance mandates that are your organization's responsibility. F5 and NGINX handle network compliance, but you need a file upload and data protection solution on top of your network security.

The shared responsibility model enables vendors to focus on their concerns and allows customers flexibility to choose the best tools for their use case. If your use case involves file uploads, you need a comprehensive, zero-trust solution.

How Multiple Layers of Defense Achieve Zero Trust

The first layer of defense against malicious file uploads starts with scanning files for known threats. OPSWAT Multiscanning technology combines multiple leading anti-malware engines to achieve over 99% detection accuracy. These engines specialize in detecting certain types of known malware. Some engines utilize heuristics and machine learning to rate the probability that a file contains unknown malware.

But scanning with multiple anti-malware engines is not enough to defeat unknown threats. To protect against unknown threats and zero-day attacks, OPSWAT uses Deep CDR (Content Disarm and Reconstruction), a form of content sanitization that generates safe, usable files free of malware and quarantines the original file. Deep CDR handles over 120 file types. It uses recursive sanitization to go deeper than regular CDR to scan popular archive files like .rar and .zip, as well as scanning objects in documents like images in PDF and Office Suite files.

Lastly, you need visibility and control over the sensitive data moving through your system. Zero Trust assumes that you are at constant risk. Our Proactive DLP (Data Loss Prevention) technology identifies sensitive content in files like personally identifiable information (PII), credit card numbers, and much more.

Add File Upload Security to the Shared Responsibility Model: Plug-and-Play Security Solution

In our survey, we found that users of F5 NGINX want a plug-and-play security solution. To meet these needs, OPSWAT developed an all-in-one solution to file upload security that empowers organizations to protect data and help them stay compliant.

The simplest, most cost-effective way to strengthen your security is to add another layer of defense to F5 and NGINX network security with a plug-and-play solution like OPSWAT MetaDefender ICAP Server. We combine over 30 anti-malware scanning engines with Deep CDR and Proactive DLP (Data Loss Prevention) to help organizations achieve Zero Trust in network traffic security.

Get in touch if you want to learn more about how MetaDefender ICAP Server easily secures modern applications.

Talk to an Expert