Securing A 3rd Party Web App That Can’t Be Touched

Securing A 3rd Party Web App That Can’t Be Touched


A government agency had an old web application that was delivering core service capability. Although functionally adequate a routine security audit revealed significant short comings.

Listed within the findings was that communication with the application was only implemented in clear text over http and not encrypted over https.

Normally this would be a simple fix with the webserver modified to accept traffic over an encrypted port and an SSL cert and private key loaded.

The problem was that the application and web server could not be touched at all.

The normal solution in such a case is to employ a reverse proxy to perform SSL offload. Although technically possible the costs were seen as prohibitive.



RedShield was apply to propose 2 cost effect solutions to this specific problem.

In both cases RedShield was to act as a reverse proxy with the SSL cert and private key loaded onto RedShield, then RedShield decrypts the traffic and transmit it in clear text to the unmodified webserver.

In the first solution and simplest solution RedShield transmits the clear text traffic over the internet. Although this architecture does propose a risk that if an attacker is listening between RedShield and the Webserver they can see the communication, the practical nature of the exploit requires a ‘man in the data center’ scenario to be successful. On the riskier access side, ie ‘man in the middle’ on WIFI and other public access networks the threat is completely neutralised.

The second solution overcomes this ’man in the data center’ risk by transmitting the clear text information from RedShield over a tunnel. This has the downside of complexity and the requirement for tunnel termination equipment at the webserver site.


“Being unable to touch such a critical application put us in a difficult situation with the auditors and management. Redshield’s solutions were pragmatic with the risks clearly communicated. Once selected, the deployment was straight forward. The scores we now achieve from our auditors are exactly what we were after.”



In weighing up the risk vs complexity of the 2 solutions, a decision was made to go with the similar solution and accept the ‘man in the data center’ risk.

The solution was quickly deployed and tested out of path with a self signed certificate with positive results. A cert was then ordered and on delivery the production certificate applied.

Further security testing and tuning was then applied to address:

  1. Reported application vulnerabilities
  2. Approach application hygiene hardening
  3. A strong base level protection against generic threats

Once complete the solution was cut over seamlessly. As a result audit reports immediately showed the previously reported issues resolved.

May 21, 2020