Hyperguarding your Web Applications

Posts Tagged ‘dWAF’

dWAF as SaaS available through GoGrid

Posted by hyperguard on March 3, 2010

We recently announced hyperguard SaaS—the industry’s first cloud-based dWAF is available on the GoGrid Cloud. hyperguard SaaS Standard is the first of several service levels to be rolled out, and it offers users Web application security monitoring, detection-only and protection modes. With a SaaS delivery model, customers have the freedom to pay on a use-case basis and avoid having to invest in owning and maintaining a solution themselves.

GoGrid customers are able to access the solution by simply deploying a GoGrid Partner Server Image (GSI) with hyperguard SaaS installed. By integrating a dWAF right into a virtual image and hosted as a SaaS, customers overcome the false sense of security created by traditional network perimeter security strategies which fail at the application level.

For additional information and details the promotion to test the service http://gogrid.artofdefence.com.

Follow this discussion on Twitter, @hyperguard, @GoGrid and #RSAC


Posted in Post | Tagged: , , | Leave a Comment »

External Hacks are More Serious than You Think

Posted by hyperguard on February 3, 2010

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Posted in Post | Tagged: , , , , | 1 Comment »

dWAF as SaaS available through AWS

Posted by hyperguard on November 10, 2009

Today we announced hyperguard SaaS—the industry’s first dWAF as a SaaS through Amazon Web Services (AWS).  AWS customers or solution providers can protect applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The solution solves the limitations of traditional WAFs being forced to secure cloud applications, which they weren’t specifically designed for.

It is highly scalable and ideal for virtualized resources—AoD hosts the resource-heavy pieces of the dWAF on Amazon EC2 and leaves just a small footprint on the customer’s AMI. Therefore, hyperguard scales simply with the number of web server AMIs that run the customer’s application being protected without a need to purchase additional AMIs.  This allows customers to pay on a use-case basis and avoid investing in intensive solutions.

hyperguard SaaS provides web application security monitoring, detection-only and protection modes. For additional information or to test the service for free go to http://aws.artofdefence.com

Posted in Post | Tagged: , , , , | Leave a Comment »

@Hoff’s “Cloud Providers & Security” Beef Post

Posted by hyperguard on October 5, 2009

Couldn’t agree more! Hoff hits a key security issue for the cloud space. Speaking from the WAF standpoint, complexity is the main issue. For a cloud provider to offer full security services for any customer, they will have to migrate a host of issues.

  1. Right up front, hardware WAF’s are out (scaling dictates software). The anti-virtualization appliance solutions will cripple a provider. Imagine 500 applications (each a separate customer for the cloud provider) in need of 500 sets of WAF boxes. This could mean 1,000’s of appliances pending the traffic capacity of each box.
  2. Granular black / white / grey listing filters are a must. For the 500 customers, each will have very different WAF needs and in order for the cloud provider to have a reasonable offering, the WAF must cover each customer’s needs, otherwise it will have little value. Further, rulesets must be grouped by customer > by application > by filter > by detect or protect.
  3. Integration with source code analyzers is key. By linking the two tools, the cloud provider will be able to monitor and react proactively to attacks across all 500 applications. Think of the value the provider would be able to offer customers (new revenue streams?).

Art of Defence’s CTO defined what this might look like and the pressures of the cloud in this white paper. Worth a read if you’re a cloud provider considering integrating a WAF.

Posted in Post | Tagged: , , | Leave a Comment »

The XaaS Landscape: Where’s Security Being Discussed?

Posted by hyperguard on September 28, 2009

The ‘as-a-service’ – or XaaS – opinion and future-casting has officially taken off. Thinking Out Cloud gives a good overview (although we have a slightly different view of the conclusion). Risk Bloggers shared a few worthy thoughts on making sure you end up with a stable XaaS (referred to as cloud) provider.

Security is the giant reality check to the hype curve here. It’s being discussed in terms of web application development from the ground-up, combined with policy changes. See Jon Oltsik’s commentary. Vendors are having their say, such as GigaSpace. Amazon of course is leading the discussion. The busy folks at Rackspace are in full tilt on the issue (as you’d expect).

So what’s missing? Only that the before mentioned musings all focus on security as a starting point before launching XaaS’s. All well and good, however, what about the raft of applications that have been pushed out of the network and live as XaaS’s right now? Are they left ‘to the wild’ as it were?

Companies can’t take the time, effort and risk of taking applications offline to refactor (or re-architect from scratch). One approach is to hook a source code scanner into your distributed Web application firewall (dWAF) to create a virtual patch until the developers can get their hands on the code and fix it. Art of Defence’s thoughts on dWAF use here.

Starting security from scratch for XaaS’s is the right thing to do, yet there are ways to shore up existing applications right now.

Posted in Post | Tagged: , , , | Leave a Comment »

A Virtual Certainty for PCI?

Posted by hyperguard on September 25, 2009

This week in Las Vegas, the PCI Virtualization Special Interest Group (PCI SIG) is meeting to figure out how to handle the growing use of this computing market. Long overdue, the group still is neglecting important aspects for web application firewall (WAF) specifics. There have been countless discussions, articles and commentary about PCI in general, yet the WAF guidelines remain simple: get one, use it and make sure it integrates with other measures. Technically, this is the web application protection requirement 6.6 option 2.

What’s missing is ruleset flexibility and control, which also happen to be the biggest points of contention with WAF technology today. A little variety in deployment is also handy in a virtualized setting for ease of deployment – a distributed WAF if you will, or dWAF. Specifically:

Detection and Protection

Foundational security using black, white and grey listings for application requests and responses must be possible. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets must be possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the dWAF. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable dWAF in a cloud.

Automated learning and ruleset suggestions based on intelligent algorithms or recommendations from a static source code analyzer or web vulnerability scanner are also desirable from a manageability view. Again, this only holds true if the administrator retains full control over activation / deactivation of each ruleset. Without this control, wanted traffic may become blocked and policy settings would become compromised.

Application Shielding

Pro-active security functions are highly recommended to reinforce any application in a cloud. Detection is simply not enough for today’s web application security. Features like transparent secure session management, URL encryption and form-field virtualization will provide strong deterrence to attack, while saving application development and deployment time. These features are effective because session management, URL encryption and form-field virtualization is done at the dWAF level and not in the application itself.

An authentication framework support that enables businesses to consolidate their applications under one management schema is also desirable for a dWAF. This enables users to handle the authentication in front of their applications rather than behind, which adds another perimeter of security. A consolidation of all applications with dedicated rights-management ability is also a strong usability function that will make an administrator’s life easier.

More info here: http://www.artofdefence.com

Posted in Post | Tagged: , , | Leave a Comment »

Exposed to XSS? Regain Your Composure (and Security)

Posted by hyperguard on September 22, 2009

I recently read a very interesting article, Tech Insight: XSS Exposed, by Dark Reading’s John Sawyer. He discusses how a cross-site scripting (XSS) attack can steal a user’s credentials, exploit their Web browsers and take action on their behalf without their knowledge. I wanted to add some of my thoughts on this article and share ways users can prevent and protect themselves against these attacks.

As stated in the article, XSS is always caused by missing input validation, the place where hyperguard comes into play. It scans every request (and therefore every user input) for malicious code that wants to be stored or executed. When a user is tricked into clicking a link containing XSS, the request is denied by the distributed web application firewall (dWAF) and the script will not run. Also, the script will not get stored into a database if the dWAF prohibits the request with the data from entering the web application. The problem with persistent XSS is that it is typically done on a prepared site that has bait for the victim, resulting in running malicious code.

The mechanism behind the protection that hyperguard delivers is easy and contains blacklist rules. These patterns know what an XSS looks like and causes the dWAF to deny the request. The second and more secure approach is to whitelist all input in the application. This is more work, but it helps to create a very secure web application, where every user input is validated. XSS attacks can take on many forms so you should never trust input from users.

In John’s article, he mentions OWASP’s XSS Prevention Cheat Sheet, which provides detailed information on when and where encoding should be done. XSS attacks should be taken seriously because they do happen often and can be very costly for businesses. It is important to take the necessary steps to prevent them and learn how to protect yourself if they do occur.

Posted in Post | Tagged: , , , | Leave a Comment »