Hyperguarding your Web Applications

Posts Tagged ‘cloud’

WAF in the Cloud

Posted by hyperguard on January 22, 2010

Fellow OWASP member, Ofer Shezaf, recently presented at a chapter meeting, and gave an overview of how WAFs interact with cloud computing—both using the cloud and protecting cloud based applications.  During his presentation he discussed the following scenarios:

  • Enterprise Security Gateway
  • WAF as a service: For protecting a data center or SaaS
  • WAF for a cloud deployment: Host Based or Infrastructure Based
  • WAF stubs

Mentioned in his presentation and also in an earlier post, Ofer notes that the two challenges facing WAFs in the cloud are bandwidth and complexity, however, art of defence has tacked these problems with hyperguard and meets XIOMs definition of a true WAF.

Ofer mentions hyperguard SaaS for AWS within his presentation, and notes that many well-known WAFs are actually lacking simply at signatures and hardly true WAFs.  What is considered a true WAF for the cloud?

Xiom is a great source of information for WAFs and resource to our readers, check out Ofer’s blog at http://www.xiom.com/ and view his entire presentation under our ‘Resources’ tab

Follow this discussion on Twitter @hyperguard


Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up: Week of November 2nd

Posted by hyperguard on November 6, 2009

Online Security Authority…
Building Security Into Your Organizations Web Applications to Begin With
This post discusses the importance of Web application protection being the chief component in the Web application development process and having it integrated from the ground up. It suggests the essential trick is a modification of attitude and awareness among the company software developers. Security imperfections should be viewed as only another category of application defect. During the entire process of software development, the focus must be on addressing the ever-changing potential for deficiencies, and the perception of new vulnerabilities and exploitation strategies.

Six Steps to Pull App Security Back to the Future
Bill Brenner speaks with fellow OWASP member Matt Fisher about some of the key problems with app security today and together they drive in to six different ways to change these. Bill wrote this article in conjunction with the upcoming OWASP show, AppSecDC. This is a great read; provides helpful background information and links to other app security articles.

Dark Reading…
Tech Insight: Managing Vulnerability In The Cloud
Writer, Curt Franklin explores the common issue, how do you manage vulnerabilities in your IT infrastructures when it is in the cloud? Although this is in your provider’s hand, Curt provides readers with some best practices and tips for controlling it.

Posted in Highlights | Tagged: , , , , | Leave a Comment »

@Hoff’s “Cloud Providers & Security” Beef Post

Posted by hyperguard on October 5, 2009

Couldn’t agree more! Hoff hits a key security issue for the cloud space. Speaking from the WAF standpoint, complexity is the main issue. For a cloud provider to offer full security services for any customer, they will have to migrate a host of issues.

  1. Right up front, hardware WAF’s are out (scaling dictates software). The anti-virtualization appliance solutions will cripple a provider. Imagine 500 applications (each a separate customer for the cloud provider) in need of 500 sets of WAF boxes. This could mean 1,000’s of appliances pending the traffic capacity of each box.
  2. Granular black / white / grey listing filters are a must. For the 500 customers, each will have very different WAF needs and in order for the cloud provider to have a reasonable offering, the WAF must cover each customer’s needs, otherwise it will have little value. Further, rulesets must be grouped by customer > by application > by filter > by detect or protect.
  3. Integration with source code analyzers is key. By linking the two tools, the cloud provider will be able to monitor and react proactively to attacks across all 500 applications. Think of the value the provider would be able to offer customers (new revenue streams?).

Art of Defence’s CTO defined what this might look like and the pressures of the cloud in this white paper. Worth a read if you’re a cloud provider considering integrating a WAF.

Posted in Post | Tagged: , , | Leave a Comment »

SANS: “60% of Attack Activity Directed to Hack Web Sites” (!) Yikes.

Posted by hyperguard on September 17, 2009

Earlier this month, SANS Institute issued a new biannual report with some scary statistics about web applications. If you don’t have time to sift through the entire report (it’s worth a the time if you can), basically OS attacks are down, application threats are up and web applications (such as websites) are way up – 60% of the total activity according to Rohit Dhamankar of TippingPoint’s DVLabs. Mr. Dhamankar’s company provided a lot of the data for the SANS report. Here’s an excerpt for the report:

“Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

Think about cloud computing after reading what SANS has found and realize cloud applications are subjected even further to this problem. Those in the industry have known this to be the case for a long time so it’s good to see SANS making headlines with the actual data!  Hopefully the New York Times coverage helps shed much needed light on this issue.

Posted in Post | Tagged: , , | Leave a Comment »

Reaction to SearchSOA.com: Common WebAppSec exploits

Posted by hyperguard on September 17, 2009

Great article on the 16th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

Posted in Post | Tagged: , , , , | Leave a Comment »

Jeremiah’s Right about Scalability

Posted by hyperguard on September 1, 2009

I recently read Web security is about scalability, a very interesting post by Jeremiah Grossman of White Hat Security. He discusses the importance of scalability in overcoming today’s Web security challenges. I would like to add some of my thoughts.

It has taken the industry over 10 years to realize that when dealing with Web application vulnerabilities, they must also deal with the scalability issues these applications face. This needs to happen in parallel with normal security testing. As Jeremiah highlights the incredible scaling needed today:

“Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact.”

Testing a web application on a single system (how most are tested before being sent out into the world) without taking into account scalability is costly. Once that application hits it’s performance limit it usually means a redesign and rewrite of core elements to make it more scalable, changing how and what is important to test. Think of the OWASP top 10 on Jeremiah’s scale!

Cluster computing, or cloud computing, presents a remedy to developing, testing and scaling web applications in a much more practical sense.

Flip the coin to protecting the applications once they’re live and in action, and Jeremiah’s scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.

The article Jeremiah references in his post (check here for the white paper), outlines my view of what the market needs from a WAF.

Posted in Post | Tagged: , , , , | Leave a Comment »