Posted by hyperguard on October 16, 2009
It’s getting closer to OWASP’s AppSecDC show, Nov 10-13, and this year’s show will feature the announcement of an updated Top 10 web vulnerabilities list for the first time since 2007. This list impacts the entire WebAppSec industry and there are a number of interesting effects anticipated here.
How will these updates impact PCI-DSS which is currently in the process of redefining requirements for a virtualized market? The OWASP Top 10 forms an important part of PCI so any updates are sure to have an impact.
What impact will this have on the Cloud Security Alliance’s (CSA) guidelines for the industry? Again, they factored the Top 10 in predominantly. The CSA is preparing an update of these guidelines before the end of the year. Our Alex Meisel is contributing heavily this time around to the WAF section.
If you’re going and would like to meet up with Art of Defence’s Georg Hess, leave a comment and we’ll get you on his calendar.
Hope to see you in DC!
Posted in Post | Tagged: OWASP, PCI DSS | Leave a Comment »
Posted by hyperguard on September 25, 2009
This week in Las Vegas, the PCI Virtualization Special Interest Group (PCI SIG) is meeting to figure out how to handle the growing use of this computing market. Long overdue, the group still is neglecting important aspects for web application firewall (WAF) specifics. There have been countless discussions, articles and commentary about PCI in general, yet the WAF guidelines remain simple: get one, use it and make sure it integrates with other measures. Technically, this is the web application protection requirement 6.6 option 2.
What’s missing is ruleset flexibility and control, which also happen to be the biggest points of contention with WAF technology today. A little variety in deployment is also handy in a virtualized setting for ease of deployment – a distributed WAF if you will, or dWAF. Specifically:
Detection and Protection
Foundational security using black, white and grey listings for application requests and responses must be possible. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets must be possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the dWAF. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable dWAF in a cloud.
Automated learning and ruleset suggestions based on intelligent algorithms or recommendations from a static source code analyzer or web vulnerability scanner are also desirable from a manageability view. Again, this only holds true if the administrator retains full control over activation / deactivation of each ruleset. Without this control, wanted traffic may become blocked and policy settings would become compromised.
Pro-active security functions are highly recommended to reinforce any application in a cloud. Detection is simply not enough for today’s web application security. Features like transparent secure session management, URL encryption and form-field virtualization will provide strong deterrence to attack, while saving application development and deployment time. These features are effective because session management, URL encryption and form-field virtualization is done at the dWAF level and not in the application itself.
An authentication framework support that enables businesses to consolidate their applications under one management schema is also desirable for a dWAF. This enables users to handle the authentication in front of their applications rather than behind, which adds another perimeter of security. A consolidation of all applications with dedicated rights-management ability is also a strong usability function that will make an administrator’s life easier.
More info here: http://www.artofdefence.com
Posted in Post | Tagged: dWAF, PCI DSS, WAF | Leave a Comment »